divestos-build/Patches/LineageOS-20.0/android_system_sepolicy/0003-ptrace_scope-1.patch

From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: flawedworld <flawedworld@flawed.world>
Date: Mon, 11 Oct 2021 02:33:31 +0100
Subject: [PATCH] allow init to control kernel.yama.ptrace_scope

---
 prebuilts/api/33.0/private/domain.te      | 1 +
 prebuilts/api/33.0/private/genfs_contexts | 1 +
 prebuilts/api/33.0/public/init.te         | 3 +++
 private/domain.te                         | 1 +
 private/genfs_contexts                    | 1 +
 public/init.te                            | 3 +++
 6 files changed, 10 insertions(+)

diff --git a/prebuilts/api/33.0/private/domain.te b/prebuilts/api/33.0/private/domain.te
index 2ef688c39..2ff442563 100644
--- a/prebuilts/api/33.0/private/domain.te
+++ b/prebuilts/api/33.0/private/domain.te
@@ -136,6 +136,7 @@ neverallow {
 # with other UIDs to these allowlisted domains.
 neverallow {
   domain
+  -init
   -vold
   userdebug_or_eng(`-llkd')
   -dumpstate
diff --git a/prebuilts/api/33.0/private/genfs_contexts b/prebuilts/api/33.0/private/genfs_contexts
index 6c4bf98eb..b99ed055e 100644
--- a/prebuilts/api/33.0/private/genfs_contexts
+++ b/prebuilts/api/33.0/private/genfs_contexts
@@ -79,6 +79,7 @@ genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
 genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
 genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
 genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
diff --git a/prebuilts/api/33.0/public/init.te b/prebuilts/api/33.0/public/init.te
index ce0d130fe..52cbf33e8 100644
--- a/prebuilts/api/33.0/public/init.te
+++ b/prebuilts/api/33.0/public/init.te
@@ -155,6 +155,9 @@ allow init self:global_capability_class_set sys_time;
 
 allow init self:global_capability_class_set { sys_rawio mknod };
 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
 # Mounting filesystems from block devices.
 allow init dev_type:blk_file r_file_perms;
 allowxperm init dev_type:blk_file ioctl BLKROSET;
diff --git a/private/domain.te b/private/domain.te
index 2ef688c39..2ff442563 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -136,6 +136,7 @@ neverallow {
 # with other UIDs to these allowlisted domains.
 neverallow {
   domain
+  -init
   -vold
   userdebug_or_eng(`-llkd')
   -dumpstate
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 6c4bf98eb..b99ed055e 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -79,6 +79,7 @@ genfscon proc /sys/kernel/sched_wakeup_granularity_ns u:object_r:proc_sched:s0
 genfscon proc /sys/kernel/sysrq u:object_r:proc_sysrq:s0
 genfscon proc /sys/kernel/unprivileged_bpf_ u:object_r:proc_bpf:s0
 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0
+genfscon proc /sys/kernel/yama/ptrace_scope u:object_r:proc_security:s0
 genfscon proc /sys/net u:object_r:proc_net:s0
 genfscon proc /sys/net/core/bpf_ u:object_r:proc_bpf:s0
 genfscon proc /sys/vm/dirty_background_ratio u:object_r:proc_dirty:s0
diff --git a/public/init.te b/public/init.te
index ce0d130fe..52cbf33e8 100644
--- a/public/init.te
+++ b/public/init.te
@@ -155,6 +155,9 @@ allow init self:global_capability_class_set sys_time;
 
 allow init self:global_capability_class_set { sys_rawio mknod };
 
+# Set /proc/sys/kernel/yama/ptrace_scope
+allow init self:capability { sys_ptrace };
+
 # Mounting filesystems from block devices.
 allow init dev_type:blk_file r_file_perms;
 allowxperm init dev_type:blk_file ioctl BLKROSET;