| # dumpstate |
| type dumpstate, domain, mlstrustedsubject; |
| type dumpstate_exec, system_file_type, exec_type, file_type; |
| |
| net_domain(dumpstate) |
| binder_use(dumpstate) |
| wakelock_use(dumpstate) |
| |
| # Allow setting process priority, protect from OOM killer, and dropping |
| # privileges by switching UID / GID |
| allow dumpstate self:global_capability_class_set { setuid setgid sys_resource }; |
| |
| # Allow dumpstate to scan through /proc/pid for all processes |
| r_dir_file(dumpstate, domain) |
| |
| allow dumpstate self:global_capability_class_set { |
| # Send signals to processes |
| kill |
| # Run iptables |
| net_raw |
| net_admin |
| }; |
| |
| # Allow executing files on system, such as: |
| # /system/bin/toolbox |
| # /system/bin/logcat |
| # /system/bin/dumpsys |
| allow dumpstate system_file:file execute_no_trans; |
| not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;') |
| allow dumpstate toolbox_exec:file rx_file_perms; |
| |
| # hidl searches for files in /system/lib(64)/hw/ |
| allow dumpstate system_file:dir r_dir_perms; |
| |
| # Create and write into /data/anr/ |
| allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid }; |
| allow dumpstate anr_data_file:dir rw_dir_perms; |
| allow dumpstate anr_data_file:file create_file_perms; |
| |
| # Allow reading /data/system/uiderrors.txt |
| # TODO: scope this down. |
| allow dumpstate system_data_file:file r_file_perms; |
| |
| # Allow dumpstate to append into apps' private files. |
| allow dumpstate { privapp_data_file app_data_file }:file append; |
| |
| # Read dmesg |
| allow dumpstate self:global_capability2_class_set syslog; |
| allow dumpstate kernel:system syslog_read; |
| |
| # Read /sys/fs/pstore/console-ramoops |
| allow dumpstate pstorefs:dir r_dir_perms; |
| allow dumpstate pstorefs:file r_file_perms; |
| |
| # Get process attributes |
| allow dumpstate domain:process getattr; |
| |
| # Signal java processes to dump their stack |
| allow dumpstate { appdomain system_server zygote app_zygote }:process signal; |
| |
| # Signal native processes to dump their stack. |
| allow dumpstate { |
| # This list comes from native_processes_to_dump in dumputils/dump_utils.c |
| audioserver |
| cameraserver |
| drmserver |
| inputflinger |
| mediadrmserver |
| mediaextractor |
| mediametrics |
| mediaserver |
| mediaswcodec |
| sdcardd |
| surfaceflinger |
| vold |
| |
| # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c |
| evsmanagerd |
| hal_audio_server |
| hal_audiocontrol_server |
| hal_bluetooth_server |
| hal_broadcastradio_server |
| hal_camera_server |
| hal_codec2_server |
| hal_drm_server |
| hal_evs_server |
| hal_face_server |
| hal_fingerprint_server |
| hal_graphics_allocator_server |
| hal_graphics_composer_server |
| hal_health_server |
| hal_input_processor_server |
| hal_neuralnetworks_server |
| hal_omx_server |
| hal_power_server |
| hal_power_stats_server |
| hal_sensors_server |
| hal_thermal_server |
| hal_vehicle_server |
| hal_vr_server |
| system_suspend_server |
| }:process signal; |
| |
| # Connect to tombstoned to intercept dumps. |
| unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned) |
| |
| # Access to /sys |
| allow dumpstate sysfs_type:dir r_dir_perms; |
| |
| allow dumpstate { |
| sysfs_devices_block |
| sysfs_dm |
| sysfs_loop |
| sysfs_usb |
| sysfs_zram |
| }:file r_file_perms; |
| |
| # Ignore other file access under /sys. |
| dontaudit dumpstate sysfs:file r_file_perms; |
| |
| # Other random bits of data we want to collect |
| no_debugfs_restriction(` |
| allow dumpstate debugfs:file r_file_perms; |
| auditallow dumpstate debugfs:file r_file_perms; |
| |
| allow dumpstate debugfs_mmc:file r_file_perms; |
| ') |
| |
| # df for |
| allow dumpstate { |
| block_device |
| cache_file |
| metadata_file |
| rootfs |
| selinuxfs |
| storage_file |
| tmpfs |
| }:dir { search getattr }; |
| allow dumpstate fuse_device:chr_file getattr; |
| allow dumpstate { dm_device cache_block_device }:blk_file getattr; |
| allow dumpstate { cache_file rootfs }:lnk_file { getattr read }; |
| |
| # Read /dev/cpuctl and /dev/cpuset |
| r_dir_file(dumpstate, cgroup) |
| r_dir_file(dumpstate, cgroup_v2) |
| |
| # Allow dumpstate to make binder calls to any binder service |
| binder_call(dumpstate, binderservicedomain) |
| binder_call(dumpstate, { appdomain artd netd wificond }) |
| |
| # Allow dumpstate to call dump() on specific hals. |
| dump_hal(hal_audio) |
| dump_hal(hal_audiocontrol) |
| dump_hal(hal_authsecret) |
| dump_hal(hal_bluetooth) |
| dump_hal(hal_broadcastradio) |
| dump_hal(hal_camera) |
| dump_hal(hal_codec2) |
| dump_hal(hal_contexthub) |
| dump_hal(hal_drm) |
| dump_hal(hal_dumpstate) |
| dump_hal(hal_evs) |
| dump_hal(hal_face) |
| dump_hal(hal_fingerprint) |
| dump_hal(hal_gnss) |
| dump_hal(hal_graphics_allocator) |
| dump_hal(hal_graphics_composer) |
| dump_hal(hal_health) |
| dump_hal(hal_identity) |
| dump_hal(hal_input_processor) |
| dump_hal(hal_keymint) |
| dump_hal(hal_light) |
| dump_hal(hal_memtrack) |
| dump_hal(hal_neuralnetworks) |
| dump_hal(hal_nfc) |
| dump_hal(hal_oemlock) |
| dump_hal(hal_power) |
| dump_hal(hal_power_stats) |
| dump_hal(hal_rebootescrow) |
| dump_hal(hal_sensors) |
| dump_hal(hal_thermal) |
| dump_hal(hal_vehicle) |
| dump_hal(hal_weaver) |
| dump_hal(hal_wifi) |
| |
| # Vibrate the device after we are done collecting the bugreport |
| hal_client_domain(dumpstate, hal_vibrator) |
| |
| # Reading /proc/PID/maps of other processes |
| allow dumpstate self:global_capability_class_set sys_ptrace; |
| |
| # Allow the bugreport service to create a file in |
| # /data/data/com.android.shell/files/bugreports/bugreport |
| allow dumpstate shell_data_file:dir create_dir_perms; |
| allow dumpstate shell_data_file:file create_file_perms; |
| |
| # Run a shell. |
| allow dumpstate shell_exec:file rx_file_perms; |
| |
| # For running am and similar framework commands. |
| # Run /system/bin/app_process. |
| allow dumpstate zygote_exec:file rx_file_perms; |
| |
| # For Bluetooth |
| allow dumpstate bluetooth_data_file:dir search; |
| allow dumpstate bluetooth_logs_data_file:dir r_dir_perms; |
| allow dumpstate bluetooth_logs_data_file:file r_file_perms; |
| |
| # For Nfc |
| allow dumpstate nfc_logs_data_file:dir r_dir_perms; |
| allow dumpstate nfc_logs_data_file:file r_file_perms; |
| |
| # Dumpstate calls screencap, which grabs a screenshot. Needs gpu access |
| allow dumpstate gpu_device:chr_file rw_file_perms; |
| allow dumpstate gpu_device:dir r_dir_perms; |
| |
| # logd access |
| read_logd(dumpstate) |
| control_logd(dumpstate) |
| read_runtime_log_tags(dumpstate) |
| |
| # Read files in /proc |
| allow dumpstate { |
| proc_bootconfig |
| proc_buddyinfo |
| proc_cmdline |
| proc_meminfo |
| proc_modules |
| proc_net_type |
| proc_pipe_conf |
| proc_pagetypeinfo |
| proc_qtaguid_ctrl |
| proc_qtaguid_stat |
| proc_slabinfo |
| proc_version |
| proc_vmallocinfo |
| proc_vmstat |
| }:file r_file_perms; |
| |
| # Read network state info files. |
| allow dumpstate net_data_file:dir search; |
| allow dumpstate net_data_file:file r_file_perms; |
| |
| # List sockets via ss. |
| allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; |
| |
| # Access /data/tombstones. |
| allow dumpstate tombstone_data_file:dir r_dir_perms; |
| allow dumpstate tombstone_data_file:file r_file_perms; |
| |
| # Access /cache/recovery |
| allow dumpstate cache_recovery_file:dir r_dir_perms; |
| allow dumpstate cache_recovery_file:file r_file_perms; |
| |
| # Access /data/misc/recovery |
| allow dumpstate recovery_data_file:dir r_dir_perms; |
| allow dumpstate recovery_data_file:file r_file_perms; |
| |
| # Access /data/misc/update_engine & /data/misc/update_engine_log |
| allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms; |
| allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms; |
| # Access /data/misc/snapuserd_log |
| allow dumpstate snapuserd_log_data_file:dir r_dir_perms; |
| allow dumpstate snapuserd_log_data_file:file r_file_perms; |
| |
| # Access /data/misc/profiles/{cur,ref}/ |
| userdebug_or_eng(` |
| allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms; |
| allow dumpstate user_profile_data_file:file r_file_perms; |
| ') |
| |
| # Access /data/misc/logd |
| allow dumpstate misc_logd_file:dir r_dir_perms; |
| allow dumpstate misc_logd_file:file r_file_perms; |
| |
| # Access /data/misc/prereboot |
| allow dumpstate prereboot_data_file:dir r_dir_perms; |
| allow dumpstate prereboot_data_file:file r_file_perms; |
| |
| allow dumpstate app_fuse_file:dir r_dir_perms; |
| allow dumpstate overlayfs_file:dir r_dir_perms; |
| |
| allow dumpstate { |
| service_manager_type |
| -apex_service |
| -dumpstate_service |
| -gatekeeper_service |
| -hal_service_type |
| -virtual_touchpad_service |
| -vold_service |
| -default_android_service |
| }:service_manager find; |
| # suppress denials for services dumpstate should not be accessing. |
| dontaudit dumpstate { |
| apex_service |
| dumpstate_service |
| gatekeeper_service |
| hal_service_type |
| virtual_touchpad_service |
| vold_service |
| }:service_manager find; |
| |
| # Most of these are neverallowed. |
| dontaudit dumpstate hwservice_manager_type:hwservice_manager find; |
| |
| allow dumpstate servicemanager:service_manager list; |
| allow dumpstate hwservicemanager:hwservice_manager list; |
| |
| allow dumpstate devpts:chr_file rw_file_perms; |
| |
| # Read any system properties |
| get_prop(dumpstate, property_type) |
| |
| # Access to /data/media. |
| # This should be removed if sdcardfs is modified to alter the secontext for its |
| # accesses to the underlying FS. |
| allow dumpstate media_rw_data_file:dir getattr; |
| allow dumpstate proc_interrupts:file r_file_perms; |
| allow dumpstate proc_zoneinfo:file r_file_perms; |
| |
| # Create a service for talking back to system_server |
| add_service(dumpstate, dumpstate_service) |
| |
| # use /dev/ion for screen capture |
| allow dumpstate ion_device:chr_file r_file_perms; |
| |
| # Allow dumpstate to run top |
| allow dumpstate proc_stat:file r_file_perms; |
| |
| allow dumpstate proc_pressure_cpu:file r_file_perms; |
| allow dumpstate proc_pressure_mem:file r_file_perms; |
| allow dumpstate proc_pressure_io:file r_file_perms; |
| |
| # Allow dumpstate to run ps |
| allow dumpstate proc_pid_max:file r_file_perms; |
| |
| # Allow dumpstate to talk to installd over binder |
| binder_call(dumpstate, installd); |
| |
| # Allow dumpstate to run ip xfrm policy |
| allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read }; |
| |
| # Allow dumpstate to run iotop |
| allow dumpstate self:netlink_socket create_socket_perms_no_ioctl; |
| # newer kernels (e.g. 4.4) have a new class for sockets |
| allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl; |
| |
| # Allow dumpstate to run ss |
| allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr; |
| |
| # Allow dumpstate to read linkerconfig directory |
| allow dumpstate linkerconfig_file:dir { read open }; |
| |
| # For when dumpstate runs df |
| dontaudit dumpstate { |
| mnt_vendor_file |
| mirror_data_file |
| mnt_user_file |
| mnt_product_file |
| }:dir search; |
| dontaudit dumpstate { |
| apex_mnt_dir |
| linkerconfig_file |
| mirror_data_file |
| mnt_user_file |
| }:dir getattr; |
| |
| # Allow dumpstate to talk to bufferhubd over binder |
| binder_call(dumpstate, bufferhubd); |
| |
| # Allow dumpstate to talk to mediaswcodec over binder |
| binder_call(dumpstate, mediaswcodec); |
| |
| #Access /data/misc/snapshotctl_log |
| allow dumpstate snapshotctl_log_data_file:dir r_dir_perms; |
| allow dumpstate snapshotctl_log_data_file:file r_file_perms; |
| |
| #Allow access to /dev/binderfs/binder_logs |
| allow dumpstate binderfs_logs:dir r_dir_perms; |
| allow dumpstate binderfs_logs:file r_file_perms; |
| allow dumpstate binderfs_logs_proc:file r_file_perms; |
| allow dumpstate binderfs_logs_stats:file r_file_perms; |
| |
| use_apex_info(dumpstate) |
| |
| # Allow reading files under /data/system/shutdown-checkpoints/ |
| allow dumpstate shutdown_checkpoints_system_data_file:dir r_dir_perms; |
| allow dumpstate shutdown_checkpoints_system_data_file:file r_file_perms; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # dumpstate has capability sys_ptrace, but should only use that capability for |
| # accessing sensitive /proc/PID files, never for using ptrace attach. |
| neverallow dumpstate *:process ptrace; |
| |
| # only system_server, dumpstate, traceur_app and shell can find the dumpstate service |
| neverallow { |
| domain |
| -system_server |
| -shell |
| -traceur_app |
| -dumpstate |
| } dumpstate_service:service_manager find; |