private/crash_dump.te - platform/system/sepolicy - Git at Google

 typeattribute crash_dump coredomain;

 # Crash dump does not need to access devices passed across exec().
 dontaudit crash_dump { devpts dev_type }:chr_file { read write };

 allow crash_dump {
   domain
   -apexd
   -bpfloader
   -crash_dump
   -crosvm # TODO(b/236672526): Remove exception for crosvm
   -diced
   -init
   -kernel
   -keystore
   -llkd
   -logd
   -ueventd
   -vendor_init
   -vold
 }:process { ptrace signal sigchld sigstop sigkill };

 userdebug_or_eng(`
   allow crash_dump {
     apexd
     keystore
     llkd
     logd
     vold
   }:process { ptrace signal sigchld sigstop sigkill };
 ')

 ###
 ### neverallow assertions
 ###

 # ptrace neverallow assertions are spread throughout the other policy
 # files, so we avoid adding redundant assertions here

 neverallow crash_dump {
   apexd
   userdebug_or_eng(`-apexd')
   bpfloader
   diced
   init
   kernel
   keystore
   userdebug_or_eng(`-keystore')
   llkd
   userdebug_or_eng(`-llkd')
   logd
   userdebug_or_eng(`-logd')
   ueventd
   vendor_init
   vold
   userdebug_or_eng(`-vold')
 }:process { signal sigstop sigkill };

 neverallow crash_dump self:process ptrace;
 neverallow crash_dump gpu_device:chr_file *;

 # Read ART APEX data directory
 allow crash_dump apex_art_data_file:dir { getattr search };
 allow crash_dump apex_art_data_file:file r_file_perms;
	typeattribute crash_dump coredomain;

	# Crash dump does not need to access devices passed across exec().
	dontaudit crash_dump { devpts dev_type }:chr_file { read write };

	allow crash_dump {
	domain
	-apexd
	-bpfloader
	-crash_dump
	-crosvm # TODO(b/236672526): Remove exception for crosvm
	-diced
	-init
	-kernel
	-keystore
	-llkd
	-logd
	-ueventd
	-vendor_init
	-vold
	}:process { ptrace signal sigchld sigstop sigkill };

	userdebug_or_eng(`
	allow crash_dump {
	apexd
	keystore
	llkd
	logd
	vold
	}:process { ptrace signal sigchld sigstop sigkill };
	')

	###
	### neverallow assertions
	###

	# ptrace neverallow assertions are spread throughout the other policy
	# files, so we avoid adding redundant assertions here

	neverallow crash_dump {
	apexd
	userdebug_or_eng(`-apexd')
	bpfloader
	diced
	init
	kernel
	keystore
	userdebug_or_eng(`-keystore')
	llkd
	userdebug_or_eng(`-llkd')
	logd
	userdebug_or_eng(`-logd')
	ueventd
	vendor_init
	vold
	userdebug_or_eng(`-vold')
	}:process { signal sigstop sigkill };

	neverallow crash_dump self:process ptrace;
	neverallow crash_dump gpu_device:chr_file *;

	# Read ART APEX data directory
	allow crash_dump apex_art_data_file:dir { getattr search };
	allow crash_dump apex_art_data_file:file r_file_perms;