prebuilts/api/202404/private/crash_dump.te - LeafOS-Project/android_system_sepolicy - Gitiles

 typeattribute crash_dump coredomain;

 # Crash dump does not need to access devices passed across exec().
 dontaudit crash_dump { devpts dev_type }:chr_file { read write };

 allow crash_dump {
   domain
   -apexd
   -bpfloader
   -crash_dump
   -init
   -kernel
   -keystore
   -llkd
   -logd
   -ueventd
   -vendor_init
   -vold
 }:process { ptrace signal sigchld sigstop sigkill };

 userdebug_or_eng(`
   allow crash_dump {
     apexd
     keystore
     llkd
     logd
     vold
   }:process { ptrace signal sigchld sigstop sigkill };
 ')

 # Read ART APEX data directory
 allow crash_dump apex_art_data_file:dir { getattr search };
 allow crash_dump apex_art_data_file:file r_file_perms;

 # Allow crash dump to read bootstrap libraries
 allow crash_dump system_bootstrap_lib_file:dir { getattr search };
 allow crash_dump system_bootstrap_lib_file:file r_file_perms;

 # Read Vendor APEX directories
 allow crash_dump vendor_apex_metadata_file:dir { getattr search };

 ###
 ### neverallow assertions
 ###

 # sigchld not explicitly forbidden since it's part of the
 # domain-transition-on-exec macros, and is by itself not sensitive
 neverallow crash_dump {
   apexd
   userdebug_or_eng(`-apexd')
   bpfloader
   init
   kernel
   keystore
   userdebug_or_eng(`-keystore')
   llkd
   userdebug_or_eng(`-llkd')
   logd
   userdebug_or_eng(`-logd')
   ueventd
   vendor_init
   vold
   userdebug_or_eng(`-vold')
 }:process { ptrace signal sigstop sigkill };

 neverallow crash_dump self:process ptrace;
 neverallow crash_dump gpu_device:chr_file *;
	typeattribute crash_dump coredomain;

	# Crash dump does not need to access devices passed across exec().
	dontaudit crash_dump { devpts dev_type }:chr_file { read write };

	allow crash_dump {
	domain
	-apexd
	-bpfloader
	-crash_dump
	-init
	-kernel
	-keystore
	-llkd
	-logd
	-ueventd
	-vendor_init
	-vold
	}:process { ptrace signal sigchld sigstop sigkill };

	userdebug_or_eng(`
	allow crash_dump {
	apexd
	keystore
	llkd
	logd
	vold
	}:process { ptrace signal sigchld sigstop sigkill };
	')

	# Read ART APEX data directory
	allow crash_dump apex_art_data_file:dir { getattr search };
	allow crash_dump apex_art_data_file:file r_file_perms;

	# Allow crash dump to read bootstrap libraries
	allow crash_dump system_bootstrap_lib_file:dir { getattr search };
	allow crash_dump system_bootstrap_lib_file:file r_file_perms;

	# Read Vendor APEX directories
	allow crash_dump vendor_apex_metadata_file:dir { getattr search };

	###
	### neverallow assertions
	###

	# sigchld not explicitly forbidden since it's part of the
	# domain-transition-on-exec macros, and is by itself not sensitive
	neverallow crash_dump {
	apexd
	userdebug_or_eng(`-apexd')
	bpfloader
	init
	kernel
	keystore
	userdebug_or_eng(`-keystore')
	llkd
	userdebug_or_eng(`-llkd')
	logd
	userdebug_or_eng(`-logd')
	ueventd
	vendor_init
	vold
	userdebug_or_eng(`-vold')
	}:process { ptrace signal sigstop sigkill };

	neverallow crash_dump self:process ptrace;
	neverallow crash_dump gpu_device:chr_file *;