Yurii Zubrytskyi | 9d9c730 | 2022-04-14 11:43:07 -0700 | [diff] [blame] | 1 | # dumpstate |
| 2 | type dumpstate, domain, mlstrustedsubject; |
| 3 | type dumpstate_exec, system_file_type, exec_type, file_type; |
| 4 | |
| 5 | net_domain(dumpstate) |
| 6 | binder_use(dumpstate) |
| 7 | wakelock_use(dumpstate) |
| 8 | |
| 9 | # Allow setting process priority, protect from OOM killer, and dropping |
| 10 | # privileges by switching UID / GID |
| 11 | allow dumpstate self:global_capability_class_set { setuid setgid sys_resource }; |
| 12 | |
| 13 | # Allow dumpstate to scan through /proc/pid for all processes |
| 14 | r_dir_file(dumpstate, domain) |
| 15 | |
| 16 | allow dumpstate self:global_capability_class_set { |
| 17 | # Send signals to processes |
| 18 | kill |
| 19 | # Run iptables |
| 20 | net_raw |
| 21 | net_admin |
| 22 | }; |
| 23 | |
| 24 | # Allow executing files on system, such as: |
| 25 | # /system/bin/toolbox |
| 26 | # /system/bin/logcat |
| 27 | # /system/bin/dumpsys |
| 28 | allow dumpstate system_file:file execute_no_trans; |
| 29 | not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;') |
| 30 | allow dumpstate toolbox_exec:file rx_file_perms; |
| 31 | |
| 32 | # hidl searches for files in /system/lib(64)/hw/ |
| 33 | allow dumpstate system_file:dir r_dir_perms; |
| 34 | |
| 35 | # Create and write into /data/anr/ |
| 36 | allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid }; |
| 37 | allow dumpstate anr_data_file:dir rw_dir_perms; |
| 38 | allow dumpstate anr_data_file:file create_file_perms; |
| 39 | |
| 40 | # Allow reading /data/system/uiderrors.txt |
| 41 | # TODO: scope this down. |
| 42 | allow dumpstate system_data_file:file r_file_perms; |
| 43 | |
| 44 | # Allow dumpstate to append into apps' private files. |
| 45 | allow dumpstate { privapp_data_file app_data_file }:file append; |
| 46 | |
| 47 | # Read dmesg |
| 48 | allow dumpstate self:global_capability2_class_set syslog; |
| 49 | allow dumpstate kernel:system syslog_read; |
| 50 | |
| 51 | # Read /sys/fs/pstore/console-ramoops |
| 52 | allow dumpstate pstorefs:dir r_dir_perms; |
| 53 | allow dumpstate pstorefs:file r_file_perms; |
| 54 | |
| 55 | # Get process attributes |
| 56 | allow dumpstate domain:process getattr; |
| 57 | |
| 58 | # Signal java processes to dump their stack |
| 59 | allow dumpstate { appdomain system_server zygote }:process signal; |
| 60 | |
| 61 | # Signal native processes to dump their stack. |
| 62 | allow dumpstate { |
| 63 | # This list comes from native_processes_to_dump in dumputils/dump_utils.c |
| 64 | audioserver |
| 65 | cameraserver |
| 66 | drmserver |
| 67 | inputflinger |
| 68 | mediadrmserver |
| 69 | mediaextractor |
| 70 | mediametrics |
| 71 | mediaserver |
| 72 | mediaswcodec |
| 73 | sdcardd |
| 74 | surfaceflinger |
| 75 | vold |
| 76 | |
| 77 | # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c |
| 78 | hal_audio_server |
| 79 | hal_audiocontrol_server |
| 80 | hal_bluetooth_server |
| 81 | hal_camera_server |
| 82 | hal_codec2_server |
| 83 | hal_drm_server |
| 84 | hal_evs_server |
| 85 | hal_face_server |
| 86 | hal_fingerprint_server |
| 87 | hal_graphics_allocator_server |
| 88 | hal_graphics_composer_server |
| 89 | hal_health_server |
Siarhei Vishniakou | 36f28f9 | 2022-07-07 05:51:07 +0000 | [diff] [blame] | 90 | hal_input_processor_server |
Yurii Zubrytskyi | 9d9c730 | 2022-04-14 11:43:07 -0700 | [diff] [blame] | 91 | hal_neuralnetworks_server |
| 92 | hal_omx_server |
| 93 | hal_power_server |
| 94 | hal_power_stats_server |
| 95 | hal_sensors_server |
| 96 | hal_thermal_server |
| 97 | hal_vehicle_server |
| 98 | hal_vr_server |
| 99 | system_suspend_server |
| 100 | }:process signal; |
| 101 | |
| 102 | # Connect to tombstoned to intercept dumps. |
| 103 | unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned) |
| 104 | |
| 105 | # Access to /sys |
| 106 | allow dumpstate sysfs_type:dir r_dir_perms; |
| 107 | |
| 108 | allow dumpstate { |
| 109 | sysfs_devices_block |
| 110 | sysfs_dm |
| 111 | sysfs_loop |
| 112 | sysfs_usb |
| 113 | sysfs_zram |
| 114 | }:file r_file_perms; |
| 115 | |
| 116 | # Other random bits of data we want to collect |
| 117 | no_debugfs_restriction(` |
| 118 | allow dumpstate debugfs:file r_file_perms; |
| 119 | auditallow dumpstate debugfs:file r_file_perms; |
| 120 | |
| 121 | allow dumpstate debugfs_mmc:file r_file_perms; |
| 122 | ') |
| 123 | |
| 124 | # df for |
| 125 | allow dumpstate { |
| 126 | block_device |
| 127 | cache_file |
| 128 | metadata_file |
| 129 | rootfs |
| 130 | selinuxfs |
| 131 | storage_file |
| 132 | tmpfs |
| 133 | }:dir { search getattr }; |
| 134 | allow dumpstate fuse_device:chr_file getattr; |
| 135 | allow dumpstate { dm_device cache_block_device }:blk_file getattr; |
| 136 | allow dumpstate { cache_file rootfs }:lnk_file { getattr read }; |
| 137 | |
| 138 | # Read /dev/cpuctl and /dev/cpuset |
| 139 | r_dir_file(dumpstate, cgroup) |
| 140 | r_dir_file(dumpstate, cgroup_v2) |
| 141 | |
| 142 | # Allow dumpstate to make binder calls to any binder service |
| 143 | binder_call(dumpstate, binderservicedomain) |
| 144 | binder_call(dumpstate, { appdomain netd wificond }) |
| 145 | |
| 146 | # Allow dumpstate to call dump() on specific hals. |
| 147 | dump_hal(hal_dumpstate) |
| 148 | dump_hal(hal_wifi) |
| 149 | dump_hal(hal_graphics_allocator) |
Siarhei Vishniakou | 36f28f9 | 2022-07-07 05:51:07 +0000 | [diff] [blame] | 150 | dump_hal(hal_input_processor) |
Yurii Zubrytskyi | 9d9c730 | 2022-04-14 11:43:07 -0700 | [diff] [blame] | 151 | dump_hal(hal_light) |
| 152 | dump_hal(hal_neuralnetworks) |
| 153 | dump_hal(hal_nfc) |
| 154 | dump_hal(hal_thermal) |
| 155 | dump_hal(hal_power) |
| 156 | dump_hal(hal_power_stats) |
| 157 | dump_hal(hal_identity) |
| 158 | dump_hal(hal_face) |
| 159 | dump_hal(hal_fingerprint) |
| 160 | dump_hal(hal_gnss) |
| 161 | dump_hal(hal_contexthub) |
| 162 | dump_hal(hal_drm) |
| 163 | |
| 164 | # Vibrate the device after we are done collecting the bugreport |
| 165 | hal_client_domain(dumpstate, hal_vibrator) |
| 166 | |
| 167 | # Reading /proc/PID/maps of other processes |
| 168 | allow dumpstate self:global_capability_class_set sys_ptrace; |
| 169 | |
| 170 | # Allow the bugreport service to create a file in |
| 171 | # /data/data/com.android.shell/files/bugreports/bugreport |
| 172 | allow dumpstate shell_data_file:dir create_dir_perms; |
| 173 | allow dumpstate shell_data_file:file create_file_perms; |
| 174 | |
| 175 | # Run a shell. |
| 176 | allow dumpstate shell_exec:file rx_file_perms; |
| 177 | |
| 178 | # For running am and similar framework commands. |
| 179 | # Run /system/bin/app_process. |
| 180 | allow dumpstate zygote_exec:file rx_file_perms; |
| 181 | |
| 182 | # For Bluetooth |
| 183 | allow dumpstate bluetooth_data_file:dir search; |
| 184 | allow dumpstate bluetooth_logs_data_file:dir r_dir_perms; |
| 185 | allow dumpstate bluetooth_logs_data_file:file r_file_perms; |
| 186 | |
| 187 | # For Nfc |
| 188 | allow dumpstate nfc_logs_data_file:dir r_dir_perms; |
| 189 | allow dumpstate nfc_logs_data_file:file r_file_perms; |
| 190 | |
| 191 | # Dumpstate calls screencap, which grabs a screenshot. Needs gpu access |
| 192 | allow dumpstate gpu_device:chr_file rw_file_perms; |
| 193 | allow dumpstate gpu_device:dir r_dir_perms; |
| 194 | |
| 195 | # logd access |
| 196 | read_logd(dumpstate) |
| 197 | control_logd(dumpstate) |
| 198 | read_runtime_log_tags(dumpstate) |
| 199 | |
| 200 | # Read files in /proc |
| 201 | allow dumpstate { |
| 202 | proc_buddyinfo |
| 203 | proc_cmdline |
| 204 | proc_meminfo |
| 205 | proc_modules |
| 206 | proc_net_type |
| 207 | proc_pipe_conf |
| 208 | proc_pagetypeinfo |
| 209 | proc_qtaguid_ctrl |
| 210 | proc_qtaguid_stat |
| 211 | proc_slabinfo |
| 212 | proc_version |
| 213 | proc_vmallocinfo |
| 214 | proc_vmstat |
| 215 | }:file r_file_perms; |
| 216 | |
| 217 | # Read network state info files. |
| 218 | allow dumpstate net_data_file:dir search; |
| 219 | allow dumpstate net_data_file:file r_file_perms; |
| 220 | |
| 221 | # List sockets via ss. |
| 222 | allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; |
| 223 | |
| 224 | # Access /data/tombstones. |
| 225 | allow dumpstate tombstone_data_file:dir r_dir_perms; |
| 226 | allow dumpstate tombstone_data_file:file r_file_perms; |
| 227 | |
| 228 | # Access /cache/recovery |
| 229 | allow dumpstate cache_recovery_file:dir r_dir_perms; |
| 230 | allow dumpstate cache_recovery_file:file r_file_perms; |
| 231 | |
| 232 | # Access /data/misc/recovery |
| 233 | allow dumpstate recovery_data_file:dir r_dir_perms; |
| 234 | allow dumpstate recovery_data_file:file r_file_perms; |
| 235 | |
| 236 | #Access /data/misc/update_engine_log |
| 237 | allow dumpstate update_engine_log_data_file:dir r_dir_perms; |
| 238 | allow dumpstate update_engine_log_data_file:file r_file_perms; |
| 239 | |
| 240 | # Access /data/misc/profiles/{cur,ref}/ |
| 241 | userdebug_or_eng(` |
| 242 | allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms; |
| 243 | allow dumpstate user_profile_data_file:file r_file_perms; |
| 244 | ') |
| 245 | |
| 246 | # Access /data/misc/logd |
| 247 | allow dumpstate misc_logd_file:dir r_dir_perms; |
| 248 | allow dumpstate misc_logd_file:file r_file_perms; |
| 249 | |
| 250 | # Access /data/misc/prereboot |
| 251 | allow dumpstate prereboot_data_file:dir r_dir_perms; |
| 252 | allow dumpstate prereboot_data_file:file r_file_perms; |
| 253 | |
| 254 | allow dumpstate app_fuse_file:dir r_dir_perms; |
| 255 | allow dumpstate overlayfs_file:dir r_dir_perms; |
| 256 | |
| 257 | allow dumpstate { |
| 258 | service_manager_type |
| 259 | -apex_service |
| 260 | -dumpstate_service |
| 261 | -gatekeeper_service |
| 262 | -hal_service_type |
| 263 | -virtual_touchpad_service |
| 264 | -vold_service |
| 265 | -default_android_service |
| 266 | }:service_manager find; |
| 267 | # suppress denials for services dumpstate should not be accessing. |
| 268 | dontaudit dumpstate { |
| 269 | apex_service |
| 270 | dumpstate_service |
| 271 | gatekeeper_service |
| 272 | hal_service_type |
| 273 | virtual_touchpad_service |
| 274 | vold_service |
| 275 | }:service_manager find; |
| 276 | |
| 277 | # Most of these are neverallowed. |
| 278 | dontaudit dumpstate hwservice_manager_type:hwservice_manager find; |
| 279 | |
| 280 | allow dumpstate servicemanager:service_manager list; |
| 281 | allow dumpstate hwservicemanager:hwservice_manager list; |
| 282 | |
| 283 | allow dumpstate devpts:chr_file rw_file_perms; |
| 284 | |
| 285 | # Read any system properties |
| 286 | get_prop(dumpstate, property_type) |
| 287 | |
| 288 | # Access to /data/media. |
| 289 | # This should be removed if sdcardfs is modified to alter the secontext for its |
| 290 | # accesses to the underlying FS. |
| 291 | allow dumpstate media_rw_data_file:dir getattr; |
| 292 | allow dumpstate proc_interrupts:file r_file_perms; |
| 293 | allow dumpstate proc_zoneinfo:file r_file_perms; |
| 294 | |
| 295 | # Create a service for talking back to system_server |
| 296 | add_service(dumpstate, dumpstate_service) |
| 297 | |
| 298 | # use /dev/ion for screen capture |
| 299 | allow dumpstate ion_device:chr_file r_file_perms; |
| 300 | |
| 301 | # Allow dumpstate to run top |
| 302 | allow dumpstate proc_stat:file r_file_perms; |
| 303 | |
| 304 | allow dumpstate proc_pressure_cpu:file r_file_perms; |
| 305 | allow dumpstate proc_pressure_mem:file r_file_perms; |
| 306 | allow dumpstate proc_pressure_io:file r_file_perms; |
| 307 | |
| 308 | # Allow dumpstate to run ps |
| 309 | allow dumpstate proc_pid_max:file r_file_perms; |
| 310 | |
| 311 | # Allow dumpstate to talk to installd over binder |
| 312 | binder_call(dumpstate, installd); |
| 313 | |
| 314 | # Allow dumpstate to talk to iorapd over binder. |
| 315 | binder_call(dumpstate, iorapd) |
| 316 | |
| 317 | # Allow dumpstate to run ip xfrm policy |
| 318 | allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read }; |
| 319 | |
| 320 | # Allow dumpstate to run iotop |
| 321 | allow dumpstate self:netlink_socket create_socket_perms_no_ioctl; |
| 322 | # newer kernels (e.g. 4.4) have a new class for sockets |
| 323 | allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl; |
| 324 | |
| 325 | # Allow dumpstate to run ss |
| 326 | allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr; |
| 327 | |
| 328 | # Allow dumpstate to read linkerconfig directory |
| 329 | allow dumpstate linkerconfig_file:dir { read open }; |
| 330 | |
| 331 | # For when dumpstate runs df |
| 332 | dontaudit dumpstate { |
| 333 | mnt_vendor_file |
| 334 | mirror_data_file |
| 335 | mnt_user_file |
ThiƩbaud Weksteen | 3dd1a57 | 2022-10-05 11:30:37 +1100 | [diff] [blame] | 336 | mnt_product_file |
Yurii Zubrytskyi | 9d9c730 | 2022-04-14 11:43:07 -0700 | [diff] [blame] | 337 | }:dir search; |
| 338 | dontaudit dumpstate { |
| 339 | apex_mnt_dir |
| 340 | linkerconfig_file |
| 341 | mirror_data_file |
| 342 | mnt_user_file |
| 343 | }:dir getattr; |
| 344 | |
| 345 | # Allow dumpstate to talk to bufferhubd over binder |
| 346 | binder_call(dumpstate, bufferhubd); |
| 347 | |
| 348 | # Allow dumpstate to talk to mediaswcodec over binder |
| 349 | binder_call(dumpstate, mediaswcodec); |
| 350 | |
| 351 | # Allow dumpstate to talk to these stable AIDL services over binder |
| 352 | binder_call(dumpstate, hal_rebootescrow_server) |
| 353 | allow hal_rebootescrow_server dumpstate:fifo_file write; |
| 354 | allow hal_rebootescrow_server dumpstate:fd use; |
| 355 | |
| 356 | binder_call(dumpstate, hal_authsecret_server) |
| 357 | allow hal_authsecret_server dumpstate:fifo_file write; |
| 358 | allow hal_authsecret_server dumpstate:fd use; |
| 359 | |
| 360 | binder_call(dumpstate, hal_keymint_server) |
| 361 | allow hal_keymint_server dumpstate:fifo_file write; |
| 362 | allow hal_keymint_server dumpstate:fd use; |
| 363 | |
| 364 | binder_call(dumpstate, hal_memtrack_server) |
| 365 | allow hal_memtrack_server dumpstate:fifo_file write; |
| 366 | allow hal_memtrack_server dumpstate:fd use; |
| 367 | |
| 368 | binder_call(dumpstate, hal_oemlock_server) |
| 369 | allow hal_oemlock_server dumpstate:fifo_file write; |
| 370 | allow hal_oemlock_server dumpstate:fd use; |
| 371 | |
| 372 | binder_call(dumpstate, hal_weaver_server) |
| 373 | allow hal_weaver_server dumpstate:fifo_file write; |
| 374 | allow hal_weaver_server dumpstate:fd use; |
| 375 | |
| 376 | #Access /data/misc/snapshotctl_log |
| 377 | allow dumpstate snapshotctl_log_data_file:dir r_dir_perms; |
| 378 | allow dumpstate snapshotctl_log_data_file:file r_file_perms; |
| 379 | |
| 380 | #Allow access to /dev/binderfs/binder_logs |
| 381 | allow dumpstate binderfs_logs:dir r_dir_perms; |
| 382 | allow dumpstate binderfs_logs:file r_file_perms; |
| 383 | allow dumpstate binderfs_logs_proc:file r_file_perms; |
| 384 | |
| 385 | allow dumpstate apex_info_file:file getattr; |
| 386 | |
| 387 | ### |
| 388 | ### neverallow rules |
| 389 | ### |
| 390 | |
| 391 | # dumpstate has capability sys_ptrace, but should only use that capability for |
| 392 | # accessing sensitive /proc/PID files, never for using ptrace attach. |
| 393 | neverallow dumpstate *:process ptrace; |
| 394 | |
| 395 | # only system_server, dumpstate, traceur_app and shell can find the dumpstate service |
| 396 | neverallow { |
| 397 | domain |
| 398 | -system_server |
| 399 | -shell |
| 400 | -traceur_app |
| 401 | -dumpstate |
| 402 | } dumpstate_service:service_manager find; |