Give crash_dump CAP_SYS_PTRACE.

CAP_SYS_PTRACE is needed to ptrace processes that have capabilities greater than their bounding set. Eventually, this will still be an improvement, because we can ptrace attach, and then turn on a seccomp filter that blocks further attaches. Bug: http://b/34694637 Test: debuggerd `pidof system_server` Change-Id: I4b9da164ec1fbb5060fdba590e886ac24b6a0785
2017-01-25 11:48:23 -08:00 · 2017-01-25 11:48:23 -08:00 · 36397cb168
parent 7e14d020f1
commit 36397cb168
1 changed files with 5 additions and 2 deletions
--- a/libcutils/fs_config.c
+++ b/libcutils/fs_config.c
@ -177,8 +177,11 @@ static const struct fs_path_config android_files[] = {
                                           CAP_MASK_LONG(CAP_SETPCAP),
                                              "system/bin/webview_zygote64" },

-    { 00755, AID_ROOT,      AID_SHELL,     0, "system/bin/crash_dump32" },
-    { 00755, AID_ROOT,      AID_SHELL,     0, "system/bin/crash_dump64" },
+    { 00755, AID_ROOT,      AID_SHELL,     CAP_MASK_LONG(CAP_SYS_PTRACE),
+                                              "system/bin/crash_dump32" },
+    { 00755, AID_ROOT,      AID_SHELL,     CAP_MASK_LONG(CAP_SYS_PTRACE),
+                                              "system/bin/crash_dump64" },
+
    { 00755, AID_ROOT,      AID_SHELL,     0, "system/bin/debuggerd" },
    { 00750, AID_ROOT,      AID_ROOT,      0, "system/bin/uncrypt" },
    { 00750, AID_ROOT,      AID_ROOT,      0, "system/bin/install-recovery.sh" },