public/debuggerd.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # debugger interface
 type debuggerd, domain, domain_deprecated;
 type debuggerd_exec, exec_type, file_type;

 typeattribute debuggerd mlstrustedsubject;
 allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
 allow debuggerd self:capability2 { syslog };
 allow debuggerd domain:dir r_dir_perms;
 allow debuggerd domain:file r_file_perms;
 allow debuggerd domain:lnk_file read;
 allow debuggerd {
   domain
   -adbd
   -debuggerd
   -healthd
   -init
   -keystore
   -ueventd
   -watchdogd
 }:process { execmem ptrace getattr };
 allow debuggerd tombstone_data_file:dir rw_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd shared_relro_file:dir r_dir_perms;
 allow debuggerd shared_relro_file:file r_file_perms;
 allow debuggerd domain:process { sigstop sigkill signal };
 allow debuggerd exec_type:file r_file_perms;
 # Access app library
 allow debuggerd system_data_file:file open;
 # Allow debuggerd to redirect a dump_backtrace request to itself.
 # This only happens on 64 bit systems, where all requests go to the 64 bit
 # debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.

 allow debuggerd {
   audioserver
   bluetooth
   cameraserver
   drmserver
   inputflinger
   mediacodec
   mediadrmserver
   mediaextractor
   mediaserver
   sdcardd
   surfaceflinger
 }:debuggerd dump_backtrace;

 # Connect to system_server via /data/system/ndebugsocket.
 unix_socket_connect(debuggerd, system_ndebug, system_server)

 userdebug_or_eng(`
   allow debuggerd input_device:dir r_dir_perms;
   allow debuggerd input_device:chr_file rw_file_perms;
 ')

 # logd access
 read_logd(debuggerd)

 # Check SELinux permissions.
 selinux_check_access(debuggerd)

 # Read /data/dalvik-cache.
 allow debuggerd dalvikcache_data_file:dir { search getattr };
 allow debuggerd dalvikcache_data_file:file r_file_perms;
	# debugger interface
	type debuggerd, domain, domain_deprecated;
	type debuggerd_exec, exec_type, file_type;

	typeattribute debuggerd mlstrustedsubject;
	allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
	allow debuggerd self:capability2 { syslog };
	allow debuggerd domain:dir r_dir_perms;
	allow debuggerd domain:file r_file_perms;
	allow debuggerd domain:lnk_file read;
	allow debuggerd {
	domain
	-adbd
	-debuggerd
	-healthd
	-init
	-keystore
	-ueventd
	-watchdogd
	}:process { execmem ptrace getattr };
	allow debuggerd tombstone_data_file:dir rw_dir_perms;
	allow debuggerd tombstone_data_file:file create_file_perms;
	allow debuggerd shared_relro_file:dir r_dir_perms;
	allow debuggerd shared_relro_file:file r_file_perms;
	allow debuggerd domain:process { sigstop sigkill signal };
	allow debuggerd exec_type:file r_file_perms;
	# Access app library
	allow debuggerd system_data_file:file open;
	# Allow debuggerd to redirect a dump_backtrace request to itself.
	# This only happens on 64 bit systems, where all requests go to the 64 bit
	# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.

	allow debuggerd {
	audioserver
	bluetooth
	cameraserver
	drmserver
	inputflinger
	mediacodec
	mediadrmserver
	mediaextractor
	mediaserver
	sdcardd
	surfaceflinger
	}:debuggerd dump_backtrace;

	# Connect to system_server via /data/system/ndebugsocket.
	unix_socket_connect(debuggerd, system_ndebug, system_server)

	userdebug_or_eng(`
	allow debuggerd input_device:dir r_dir_perms;
	allow debuggerd input_device:chr_file rw_file_perms;
	')

	# logd access
	read_logd(debuggerd)

	# Check SELinux permissions.
	selinux_check_access(debuggerd)

	# Read /data/dalvik-cache.
	allow debuggerd dalvikcache_data_file:dir { search getattr };
	allow debuggerd dalvikcache_data_file:file r_file_perms;