| type crash_dump, domain; |
| type crash_dump_exec, exec_type, file_type; |
| |
| allow crash_dump { |
| domain |
| -init |
| -crash_dump |
| -keystore |
| -logd |
| }:process { ptrace signal sigchld sigstop sigkill }; |
| |
| # crash_dump might inherit CAP_SYS_PTRACE from a privileged process, |
| # which will result in an audit log even when it's allowed to trace. |
| dontaudit crash_dump self:capability { sys_ptrace }; |
| |
| userdebug_or_eng(` |
| allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill }; |
| ') |
| |
| # Use inherited file descriptors |
| allow crash_dump domain:fd use; |
| |
| # Write to the IPC pipe inherited from crashing processes. |
| # Append to pipes given to us by processes requesting dumps (e.g. dumpstate) |
| allow crash_dump domain:fifo_file { write append }; |
| |
| r_dir_file(crash_dump, domain) |
| allow crash_dump exec_type:file r_file_perms; |
| |
| # Read /data/dalvik-cache. |
| allow crash_dump dalvikcache_data_file:dir { search getattr }; |
| allow crash_dump dalvikcache_data_file:file r_file_perms; |
| |
| # Read APK files. |
| r_dir_file(crash_dump, apk_data_file); |
| |
| # Read all /vendor |
| r_dir_file(crash_dump, { vendor_file same_process_hal_file }) |
| |
| # Talk to tombstoned |
| unix_socket_connect(crash_dump, tombstoned_crash, tombstoned) |
| |
| # Talk to ActivityManager. |
| unix_socket_connect(crash_dump, system_ndebug, system_server) |
| |
| # Append to ANR files. |
| allow crash_dump anr_data_file:file { append getattr }; |
| |
| # Append to tombstone files. |
| allow crash_dump tombstone_data_file:file { append getattr }; |
| |
| read_logd(crash_dump) |
| |
| ### |
| ### neverallow assertions |
| ### |
| |
| # A domain transition must occur for crash_dump to get the privileges needed to trace the process. |
| # Do not allow the execution of crash_dump without a domain transition. |
| neverallow domain crash_dump_exec:file execute_no_trans; |