Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-07-10 13:22:12 +00:00
Code Issues Packages Projects Releases Wiki Activity
5a3c64c178
DivestOS/Patches/LineageOS-17.1/android_system_sepolicy/0003-ptrace_scope-1.patch
Tad a53062ca0b Backports 
Adds ptrace_scope and timeout options to 17.1, tested working

Also adds hardened_malloc to 15.1, but failing to compile:
external/hardened_malloc/h_malloc.c:1688:18: error: use of undeclared identifier 'M_PURGE'
    if (param == M_PURGE) {
                 ^
external/hardened_malloc/h_malloc.c:1743:30: error: missing field 'ordblks' initializer [-Werror,-Wmissing-field-initializers]
    struct mallinfo info = {0};
                             ^

Signed-off-by: Tad <tad@spotco.us>
2022-03-21 18:06:49 -04:00

131 lines
6.2 KiB
Diff
Raw Blame History

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: flawedworld <38294951+flawedworld@users.noreply.github.com>
Date: Mon, 5 Apr 2021 02:26:20 +0100
Subject: [PATCH] allow init to control kernel.yama.ptrace_scope
Change-Id: Id364a6a0e088be3bb00b245d580e29980f5c2650
---
prebuilts/api/26.0/private/genfs_contexts | 1 +
prebuilts/api/27.0/private/genfs_contexts | 1 +
prebuilts/api/28.0/private/genfs_contexts | 1 +
prebuilts/api/29.0/private/domain.te | 1 +
prebuilts/api/29.0/private/genfs_contexts | 1 +
prebuilts/api/29.0/public/init.te | 3 +++
private/domain.te | 1 +
private/genfs_contexts | 1 +
public/init.te | 3 +++
9 files changed, 13 insertions(+)
diff --git a/prebuilts/api/26.0/private/genfs_contexts b/prebuilts/api/26.0/private/genfs_contexts
index 753cabf15..67203c998 100644
--- a/prebuilts/api/26.0/private/genfs_contexts
+++ b/prebuilts/api/26.0/private/genfs_contexts
@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
diff --git a/prebuilts/api/27.0/private/genfs_contexts b/prebuilts/api/27.0/private/genfs_contexts
index 606d46cbe..ac54e423a 100644
--- a/prebuilts/api/27.0/private/genfs_contexts
+++ b/prebuilts/api/27.0/private/genfs_contexts
@@ -29,6 +29,7 @@ genfscon proc /sys/kernel/perf_event_max_sample_rate u:object_r:proc_perf:s0
genfscon proc /sys/kernel/poweroff_cmd u:object_r:usermodehelper:s0
genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0
genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0
diff --git a/prebuilts/api/28.0/private/genfs_contexts b/prebuilts/api/28.0/private/genfs_contexts
index 44ca95fd5..89b55b28d 100644
--- a/prebuilts/api/28.0/private/genfs_contexts
+++ b/prebuilts/api/28.0/private/genfs_contexts
@@ -58,6 +58,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
diff --git a/prebuilts/api/29.0/private/domain.te b/prebuilts/api/29.0/private/domain.te
index 1d26761d6..62cbb04a1 100644
--- a/prebuilts/api/29.0/private/domain.te
+++ b/prebuilts/api/29.0/private/domain.te
@@ -86,6 +86,7 @@ userdebug_or_eng(`
# with other UIDs to these whitelisted domains.
neverallow {
domain
+ -init
-vold
userdebug_or_eng(`-llkd')
-dumpstate
diff --git a/prebuilts/api/29.0/private/genfs_contexts b/prebuilts/api/29.0/private/genfs_contexts
index e72803627..27828d91b 100644
--- a/prebuilts/api/29.0/private/genfs_contexts
+++ b/prebuilts/api/29.0/private/genfs_contexts
@@ -71,6 +71,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
diff --git a/prebuilts/api/29.0/public/init.te b/prebuilts/api/29.0/public/init.te
index e7e5b6517..1ba495de3 100644
--- a/prebuilts/api/29.0/public/init.te
+++ b/prebuilts/api/29.0/public/init.te
@@ -123,6 +123,9 @@ allow init self:global_capability_class_set sys_time;
allow init self:global_capability_class_set { sys_rawio mknod };
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
allowxperm init dev_type:blk_file ioctl BLKROSET;
diff --git a/private/domain.te b/private/domain.te
index 1d26761d6..62cbb04a1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -86,6 +86,7 @@ userdebug_or_eng(`
# with other UIDs to these whitelisted domains.
neverallow {
domain
+ -init
-vold
userdebug_or_eng(`-llkd')
-dumpstate
diff --git a/private/genfs_contexts b/private/genfs_contexts
index e72803627..27828d91b 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -71,6 +71,7 @@ genfscon proc /sys/kernel/sched_tunable_scaling u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
genfscon proc /sys/net u:object_r:proc_net:s0
genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
genfscon proc /sys/vm/dirty_expire_centisecs u:object_r:proc_dirty:s0
diff --git a/public/init.te b/public/init.te
index e7e5b6517..1ba495de3 100644
--- a/public/init.te
+++ b/public/init.te
@@ -123,6 +123,9 @@ allow init self:global_capability_class_set sys_time;
allow init self:global_capability_class_set { sys_rawio mknod };
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
# Mounting filesystems from block devices.
allow init dev_type:blk_file r_file_perms;
allowxperm init dev_type:blk_file ioctl BLKROSET;
Reference in New Issue View Git Blame Copy Permalink