blob: f1c6d727db56bcd8b8251fa8c516d7de1f6f370b [file] [log] [blame]
Yurii Zubrytskyi9d9c7302022-04-14 11:43:07 -07001# dumpstate
2type dumpstate, domain, mlstrustedsubject;
3type dumpstate_exec, system_file_type, exec_type, file_type;
4
5net_domain(dumpstate)
6binder_use(dumpstate)
7wakelock_use(dumpstate)
8
9# Allow setting process priority, protect from OOM killer, and dropping
10# privileges by switching UID / GID
11allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
12
13# Allow dumpstate to scan through /proc/pid for all processes
14r_dir_file(dumpstate, domain)
15
16allow dumpstate self:global_capability_class_set {
17 # Send signals to processes
18 kill
19 # Run iptables
20 net_raw
21 net_admin
22};
23
24# Allow executing files on system, such as:
25# /system/bin/toolbox
26# /system/bin/logcat
27# /system/bin/dumpsys
28allow dumpstate system_file:file execute_no_trans;
29not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
30allow dumpstate toolbox_exec:file rx_file_perms;
31
32# hidl searches for files in /system/lib(64)/hw/
33allow dumpstate system_file:dir r_dir_perms;
34
35# Create and write into /data/anr/
36allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
37allow dumpstate anr_data_file:dir rw_dir_perms;
38allow dumpstate anr_data_file:file create_file_perms;
39
40# Allow reading /data/system/uiderrors.txt
41# TODO: scope this down.
42allow dumpstate system_data_file:file r_file_perms;
43
44# Allow dumpstate to append into apps' private files.
45allow dumpstate { privapp_data_file app_data_file }:file append;
46
47# Read dmesg
48allow dumpstate self:global_capability2_class_set syslog;
49allow dumpstate kernel:system syslog_read;
50
51# Read /sys/fs/pstore/console-ramoops
52allow dumpstate pstorefs:dir r_dir_perms;
53allow dumpstate pstorefs:file r_file_perms;
54
55# Get process attributes
56allow dumpstate domain:process getattr;
57
58# Signal java processes to dump their stack
59allow dumpstate { appdomain system_server zygote }:process signal;
60
61# Signal native processes to dump their stack.
62allow dumpstate {
63 # This list comes from native_processes_to_dump in dumputils/dump_utils.c
64 audioserver
65 cameraserver
66 drmserver
67 inputflinger
68 mediadrmserver
69 mediaextractor
70 mediametrics
71 mediaserver
72 mediaswcodec
73 sdcardd
74 surfaceflinger
75 vold
76
77 # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
78 hal_audio_server
79 hal_audiocontrol_server
80 hal_bluetooth_server
81 hal_camera_server
82 hal_codec2_server
83 hal_drm_server
84 hal_evs_server
85 hal_face_server
86 hal_fingerprint_server
87 hal_graphics_allocator_server
88 hal_graphics_composer_server
89 hal_health_server
Siarhei Vishniakou36f28f92022-07-07 05:51:07 +000090 hal_input_processor_server
Yurii Zubrytskyi9d9c7302022-04-14 11:43:07 -070091 hal_neuralnetworks_server
92 hal_omx_server
93 hal_power_server
94 hal_power_stats_server
95 hal_sensors_server
96 hal_thermal_server
97 hal_vehicle_server
98 hal_vr_server
99 system_suspend_server
100}:process signal;
101
102# Connect to tombstoned to intercept dumps.
103unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
104
105# Access to /sys
106allow dumpstate sysfs_type:dir r_dir_perms;
107
108allow dumpstate {
109 sysfs_devices_block
110 sysfs_dm
111 sysfs_loop
112 sysfs_usb
113 sysfs_zram
114}:file r_file_perms;
115
116# Other random bits of data we want to collect
117no_debugfs_restriction(`
118 allow dumpstate debugfs:file r_file_perms;
119 auditallow dumpstate debugfs:file r_file_perms;
120
121 allow dumpstate debugfs_mmc:file r_file_perms;
122')
123
124# df for
125allow dumpstate {
126 block_device
127 cache_file
128 metadata_file
129 rootfs
130 selinuxfs
131 storage_file
132 tmpfs
133}:dir { search getattr };
134allow dumpstate fuse_device:chr_file getattr;
135allow dumpstate { dm_device cache_block_device }:blk_file getattr;
136allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
137
138# Read /dev/cpuctl and /dev/cpuset
139r_dir_file(dumpstate, cgroup)
140r_dir_file(dumpstate, cgroup_v2)
141
142# Allow dumpstate to make binder calls to any binder service
143binder_call(dumpstate, binderservicedomain)
144binder_call(dumpstate, { appdomain netd wificond })
145
146# Allow dumpstate to call dump() on specific hals.
147dump_hal(hal_dumpstate)
148dump_hal(hal_wifi)
149dump_hal(hal_graphics_allocator)
Siarhei Vishniakou36f28f92022-07-07 05:51:07 +0000150dump_hal(hal_input_processor)
Yurii Zubrytskyi9d9c7302022-04-14 11:43:07 -0700151dump_hal(hal_light)
152dump_hal(hal_neuralnetworks)
153dump_hal(hal_nfc)
154dump_hal(hal_thermal)
155dump_hal(hal_power)
156dump_hal(hal_power_stats)
157dump_hal(hal_identity)
158dump_hal(hal_face)
159dump_hal(hal_fingerprint)
160dump_hal(hal_gnss)
161dump_hal(hal_contexthub)
162dump_hal(hal_drm)
163
164# Vibrate the device after we are done collecting the bugreport
165hal_client_domain(dumpstate, hal_vibrator)
166
167# Reading /proc/PID/maps of other processes
168allow dumpstate self:global_capability_class_set sys_ptrace;
169
170# Allow the bugreport service to create a file in
171# /data/data/com.android.shell/files/bugreports/bugreport
172allow dumpstate shell_data_file:dir create_dir_perms;
173allow dumpstate shell_data_file:file create_file_perms;
174
175# Run a shell.
176allow dumpstate shell_exec:file rx_file_perms;
177
178# For running am and similar framework commands.
179# Run /system/bin/app_process.
180allow dumpstate zygote_exec:file rx_file_perms;
181
182# For Bluetooth
183allow dumpstate bluetooth_data_file:dir search;
184allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
185allow dumpstate bluetooth_logs_data_file:file r_file_perms;
186
187# For Nfc
188allow dumpstate nfc_logs_data_file:dir r_dir_perms;
189allow dumpstate nfc_logs_data_file:file r_file_perms;
190
191# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
192allow dumpstate gpu_device:chr_file rw_file_perms;
193allow dumpstate gpu_device:dir r_dir_perms;
194
195# logd access
196read_logd(dumpstate)
197control_logd(dumpstate)
198read_runtime_log_tags(dumpstate)
199
200# Read files in /proc
201allow dumpstate {
202 proc_buddyinfo
203 proc_cmdline
204 proc_meminfo
205 proc_modules
206 proc_net_type
207 proc_pipe_conf
208 proc_pagetypeinfo
209 proc_qtaguid_ctrl
210 proc_qtaguid_stat
211 proc_slabinfo
212 proc_version
213 proc_vmallocinfo
214 proc_vmstat
215}:file r_file_perms;
216
217# Read network state info files.
218allow dumpstate net_data_file:dir search;
219allow dumpstate net_data_file:file r_file_perms;
220
221# List sockets via ss.
222allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
223
224# Access /data/tombstones.
225allow dumpstate tombstone_data_file:dir r_dir_perms;
226allow dumpstate tombstone_data_file:file r_file_perms;
227
228# Access /cache/recovery
229allow dumpstate cache_recovery_file:dir r_dir_perms;
230allow dumpstate cache_recovery_file:file r_file_perms;
231
232# Access /data/misc/recovery
233allow dumpstate recovery_data_file:dir r_dir_perms;
234allow dumpstate recovery_data_file:file r_file_perms;
235
236#Access /data/misc/update_engine_log
237allow dumpstate update_engine_log_data_file:dir r_dir_perms;
238allow dumpstate update_engine_log_data_file:file r_file_perms;
239
240# Access /data/misc/profiles/{cur,ref}/
241userdebug_or_eng(`
242 allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
243 allow dumpstate user_profile_data_file:file r_file_perms;
244')
245
246# Access /data/misc/logd
247allow dumpstate misc_logd_file:dir r_dir_perms;
248allow dumpstate misc_logd_file:file r_file_perms;
249
250# Access /data/misc/prereboot
251allow dumpstate prereboot_data_file:dir r_dir_perms;
252allow dumpstate prereboot_data_file:file r_file_perms;
253
254allow dumpstate app_fuse_file:dir r_dir_perms;
255allow dumpstate overlayfs_file:dir r_dir_perms;
256
257allow dumpstate {
258 service_manager_type
259 -apex_service
260 -dumpstate_service
261 -gatekeeper_service
262 -hal_service_type
263 -virtual_touchpad_service
264 -vold_service
265 -default_android_service
266}:service_manager find;
267# suppress denials for services dumpstate should not be accessing.
268dontaudit dumpstate {
269 apex_service
270 dumpstate_service
271 gatekeeper_service
272 hal_service_type
273 virtual_touchpad_service
274 vold_service
275}:service_manager find;
276
277# Most of these are neverallowed.
278dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
279
280allow dumpstate servicemanager:service_manager list;
281allow dumpstate hwservicemanager:hwservice_manager list;
282
283allow dumpstate devpts:chr_file rw_file_perms;
284
285# Read any system properties
286get_prop(dumpstate, property_type)
287
288# Access to /data/media.
289# This should be removed if sdcardfs is modified to alter the secontext for its
290# accesses to the underlying FS.
291allow dumpstate media_rw_data_file:dir getattr;
292allow dumpstate proc_interrupts:file r_file_perms;
293allow dumpstate proc_zoneinfo:file r_file_perms;
294
295# Create a service for talking back to system_server
296add_service(dumpstate, dumpstate_service)
297
298# use /dev/ion for screen capture
299allow dumpstate ion_device:chr_file r_file_perms;
300
301# Allow dumpstate to run top
302allow dumpstate proc_stat:file r_file_perms;
303
304allow dumpstate proc_pressure_cpu:file r_file_perms;
305allow dumpstate proc_pressure_mem:file r_file_perms;
306allow dumpstate proc_pressure_io:file r_file_perms;
307
308# Allow dumpstate to run ps
309allow dumpstate proc_pid_max:file r_file_perms;
310
311# Allow dumpstate to talk to installd over binder
312binder_call(dumpstate, installd);
313
314# Allow dumpstate to talk to iorapd over binder.
315binder_call(dumpstate, iorapd)
316
317# Allow dumpstate to run ip xfrm policy
318allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
319
320# Allow dumpstate to run iotop
321allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
322# newer kernels (e.g. 4.4) have a new class for sockets
323allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
324
325# Allow dumpstate to run ss
326allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
327
328# Allow dumpstate to read linkerconfig directory
329allow dumpstate linkerconfig_file:dir { read open };
330
331# For when dumpstate runs df
332dontaudit dumpstate {
333 mnt_vendor_file
334 mirror_data_file
335 mnt_user_file
ThiƩbaud Weksteen3dd1a572022-10-05 11:30:37 +1100336 mnt_product_file
Yurii Zubrytskyi9d9c7302022-04-14 11:43:07 -0700337}:dir search;
338dontaudit dumpstate {
339 apex_mnt_dir
340 linkerconfig_file
341 mirror_data_file
342 mnt_user_file
343}:dir getattr;
344
345# Allow dumpstate to talk to bufferhubd over binder
346binder_call(dumpstate, bufferhubd);
347
348# Allow dumpstate to talk to mediaswcodec over binder
349binder_call(dumpstate, mediaswcodec);
350
351# Allow dumpstate to talk to these stable AIDL services over binder
352binder_call(dumpstate, hal_rebootescrow_server)
353allow hal_rebootescrow_server dumpstate:fifo_file write;
354allow hal_rebootescrow_server dumpstate:fd use;
355
356binder_call(dumpstate, hal_authsecret_server)
357allow hal_authsecret_server dumpstate:fifo_file write;
358allow hal_authsecret_server dumpstate:fd use;
359
360binder_call(dumpstate, hal_keymint_server)
361allow hal_keymint_server dumpstate:fifo_file write;
362allow hal_keymint_server dumpstate:fd use;
363
364binder_call(dumpstate, hal_memtrack_server)
365allow hal_memtrack_server dumpstate:fifo_file write;
366allow hal_memtrack_server dumpstate:fd use;
367
368binder_call(dumpstate, hal_oemlock_server)
369allow hal_oemlock_server dumpstate:fifo_file write;
370allow hal_oemlock_server dumpstate:fd use;
371
372binder_call(dumpstate, hal_weaver_server)
373allow hal_weaver_server dumpstate:fifo_file write;
374allow hal_weaver_server dumpstate:fd use;
375
376#Access /data/misc/snapshotctl_log
377allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
378allow dumpstate snapshotctl_log_data_file:file r_file_perms;
379
380#Allow access to /dev/binderfs/binder_logs
381allow dumpstate binderfs_logs:dir r_dir_perms;
382allow dumpstate binderfs_logs:file r_file_perms;
383allow dumpstate binderfs_logs_proc:file r_file_perms;
384
385allow dumpstate apex_info_file:file getattr;
386
387###
388### neverallow rules
389###
390
391# dumpstate has capability sys_ptrace, but should only use that capability for
392# accessing sensitive /proc/PID files, never for using ptrace attach.
393neverallow dumpstate *:process ptrace;
394
395# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
396neverallow {
397 domain
398 -system_server
399 -shell
400 -traceur_app
401 -dumpstate
402} dumpstate_service:service_manager find;