public/crash_dump.te - platform/system/sepolicy - Git at Google

 type crash_dump, domain;
 type crash_dump_exec, exec_type, file_type;

 allow crash_dump {
   domain
   -init
   -crash_dump
   -keystore
   -logd
 }:process { ptrace signal sigchld sigstop sigkill };

 # crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
 # which will result in an audit log even when it's allowed to trace.
 dontaudit crash_dump self:capability { sys_ptrace };

 userdebug_or_eng(`
   allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
 ')

 # Use inherited file descriptors
 allow crash_dump domain:fd use;

 # Write to the IPC pipe inherited from crashing processes.
 # Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
 allow crash_dump domain:fifo_file { write append };

 r_dir_file(crash_dump, domain)
 allow crash_dump exec_type:file r_file_perms;

 # Read /data/dalvik-cache.
 allow crash_dump dalvikcache_data_file:dir { search getattr };
 allow crash_dump dalvikcache_data_file:file r_file_perms;

 # Read APK files.
 r_dir_file(crash_dump, apk_data_file);

 # Talk to tombstoned
 unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)

 # Talk to ActivityManager.
 unix_socket_connect(crash_dump, system_ndebug, system_server)

 # Append to ANR files.
 allow crash_dump anr_data_file:file { append getattr };

 # Append to tombstone files.
 allow crash_dump tombstone_data_file:file { append getattr };

 read_logd(crash_dump)

 ###
 ### neverallow assertions
 ###

 # A domain transition must occur for crash_dump to get the privileges needed to trace the process.
 # Do not allow the execution of crash_dump without a domain transition.
 neverallow domain crash_dump_exec:file execute_no_trans;
	type crash_dump, domain;
	type crash_dump_exec, exec_type, file_type;

	allow crash_dump {
	domain
	-init
	-crash_dump
	-keystore
	-logd
	}:process { ptrace signal sigchld sigstop sigkill };

	# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
	# which will result in an audit log even when it's allowed to trace.
	dontaudit crash_dump self:capability { sys_ptrace };

	userdebug_or_eng(`
	allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
	')

	# Use inherited file descriptors
	allow crash_dump domain:fd use;

	# Write to the IPC pipe inherited from crashing processes.
	# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
	allow crash_dump domain:fifo_file { write append };

	r_dir_file(crash_dump, domain)
	allow crash_dump exec_type:file r_file_perms;

	# Read /data/dalvik-cache.
	allow crash_dump dalvikcache_data_file:dir { search getattr };
	allow crash_dump dalvikcache_data_file:file r_file_perms;

	# Read APK files.
	r_dir_file(crash_dump, apk_data_file);

	# Talk to tombstoned
	unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)

	# Talk to ActivityManager.
	unix_socket_connect(crash_dump, system_ndebug, system_server)

	# Append to ANR files.
	allow crash_dump anr_data_file:file { append getattr };

	# Append to tombstone files.
	allow crash_dump tombstone_data_file:file { append getattr };

	read_logd(crash_dump)

	###
	### neverallow assertions
	###

	# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
	# Do not allow the execution of crash_dump without a domain transition.
	neverallow domain crash_dump_exec:file execute_no_trans;