Google Git
Sign in
android / platform / system / sepolicy / main / . / private / crash_dump.te
blob: 45d57222dbb20adaf210a936608cd8ce8f627dd4 [file] [log] [blame]
typeattribute crash_dump coredomain;
# Crash dump does not need to access devices passed across exec().
dontaudit crash_dump { devpts dev_type }:chr_file { read write };
allow crash_dump {
domain
-apexd
-bpfloader
-crash_dump
-init
-kernel
-keystore
-llkd
-logd
-ueventd
-vendor_init
-vold
}:process { ptrace signal sigchld sigstop sigkill };
userdebug_or_eng(`
allow crash_dump {
apexd
keystore
llkd
logd
vold
}:process { ptrace signal sigchld sigstop sigkill };
')
# Read ART APEX data directory
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;
# Allow crash dump to read bootstrap libraries
allow crash_dump system_bootstrap_lib_file:dir { getattr search };
allow crash_dump system_bootstrap_lib_file:file r_file_perms;
# Read Vendor APEX directories
allow crash_dump vendor_apex_metadata_file:dir { getattr search };
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
userdebug_or_eng(`
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
# Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
allow crash_dump kmsg_debug_device:chr_file { open append };
')
# Use inherited file descriptors
allow crash_dump domain:fd use;
# Read/write IPC pipes inherited from crashing processes.
allow crash_dump domain:fifo_file { read write };
# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
allow crash_dump domain:fifo_file { append };
# Read information from /proc/$PID.
allow crash_dump domain:process getattr;
r_dir_file(crash_dump, domain)
allow crash_dump exec_type:file r_file_perms;
# Read /data/dalvik-cache.
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;
# Read APEX data directories.
allow crash_dump apex_module_data_file:dir { getattr search };
# Read uptime
allow crash_dump proc_uptime:file r_file_perms;
# Read APK files.
r_dir_file(crash_dump, apk_data_file);
# Read all /vendor
r_dir_file(crash_dump, { vendor_file same_process_hal_file })
# Read all /data/local/tests
r_dir_file(crash_dump, shell_test_data_file)
# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
# Talk to ActivityManager.
unix_socket_connect(crash_dump, system_ndebug, system_server)
# Append to ANR files.
allow crash_dump anr_data_file:file { append getattr };
# Append to tombstone files.
allow crash_dump tombstone_data_file:file { append getattr };
# crash_dump writes out logcat logs at the bottom of tombstones,
# which is super useful in some cases.
unix_socket_connect(crash_dump, logdr, logd)
# Crash dump is not intended to access the following files. Since these
# are WAI, suppress the denials to clean up the logs.
dontaudit crash_dump {
core_data_file_type
vendor_file_type
}:dir search;
dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;
get_prop(crash_dump, misctrl_prop)
###
### neverallow assertions
###
# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
# Do not allow the execution of crash_dump without a domain transition.
neverallow domain crash_dump_exec:file execute_no_trans;
# sigchld not explicitly forbidden since it's part of the
# domain-transition-on-exec macros, and is by itself not sensitive
neverallow crash_dump {
apexd
userdebug_or_eng(`-apexd')
bpfloader
init
kernel
keystore
userdebug_or_eng(`-keystore')
llkd
userdebug_or_eng(`-llkd')
logd
userdebug_or_eng(`-logd')
ueventd
vendor_init
vold
userdebug_or_eng(`-vold')
}:process { ptrace signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;