Merge cherrypicks of [4647037, 4647038, 4647883, 4647039, 4647933, 4648530, 4648550, 4648551, 4648552, 4648553, 4646931, 4646932, 4646933, 4646934, 4648391, 4647976, 4647977, 4647978, 4647526, 4646972, 4646935, 4646936, 4646937, 4646938, 4646939, 4646940, 4646941, 4648392, 4647509, 4648630, 4648631, 4647934] into pi-release-2
Change-Id: Ie9af417f395cb8df161ca5dbd7e530a0f4514547
diff --git a/prebuilts/api/28.0/private/crash_dump.te b/prebuilts/api/28.0/private/crash_dump.te
index fb73f08..c3d2ed5 100644
--- a/prebuilts/api/28.0/private/crash_dump.te
+++ b/prebuilts/api/28.0/private/crash_dump.te
@@ -1 +1,14 @@
typeattribute crash_dump coredomain;
+
+allow crash_dump {
+ domain
+ -bpfloader
+ -crash_dump
+ -init
+ -kernel
+ -keystore
+ -logd
+ -ueventd
+ -vendor_init
+ -vold
+}:process { ptrace signal sigchld sigstop sigkill };
diff --git a/prebuilts/api/28.0/public/crash_dump.te b/prebuilts/api/28.0/public/crash_dump.te
index f778d28..cd1e5a8 100644
--- a/prebuilts/api/28.0/public/crash_dump.te
+++ b/prebuilts/api/28.0/public/crash_dump.te
@@ -1,14 +1,6 @@
type crash_dump, domain;
type crash_dump_exec, exec_type, file_type;
-allow crash_dump {
- domain
- -init
- -crash_dump
- -keystore
- -logd
-}:process { ptrace signal sigchld sigstop sigkill };
-
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
diff --git a/private/crash_dump.te b/private/crash_dump.te
index fb73f08..c3d2ed5 100644
--- a/private/crash_dump.te
+++ b/private/crash_dump.te
@@ -1 +1,14 @@
typeattribute crash_dump coredomain;
+
+allow crash_dump {
+ domain
+ -bpfloader
+ -crash_dump
+ -init
+ -kernel
+ -keystore
+ -logd
+ -ueventd
+ -vendor_init
+ -vold
+}:process { ptrace signal sigchld sigstop sigkill };
diff --git a/public/crash_dump.te b/public/crash_dump.te
index f778d28..cd1e5a8 100644
--- a/public/crash_dump.te
+++ b/public/crash_dump.te
@@ -1,14 +1,6 @@
type crash_dump, domain;
type crash_dump_exec, exec_type, file_type;
-allow crash_dump {
- domain
- -init
- -crash_dump
- -keystore
- -logd
-}:process { ptrace signal sigchld sigstop sigkill };
-
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };