1typeattribute crash_dump coredomain; 2 3# Crash dump does not need to access devices passed across exec(). 4dontaudit crash_dump { devpts dev_type }:chr_file { read write }; 5 6allow crash_dump { 7 domain 8 -apexd 9 -bpfloader 10 -crash_dump 11 -init 12 -kernel 13 -keystore 14 -llkd 15 -logd 16 -ueventd 17 -vendor_init 18 -vold 19}:process { ptrace signal sigchld sigstop sigkill }; 20 21userdebug_or_eng(` 22 allow crash_dump { 23 apexd 24 keystore 25 llkd 26 logd 27 vold 28 }:process { ptrace signal sigchld sigstop sigkill }; 29') 30 31# Read ART APEX data directory 32allow crash_dump apex_art_data_file:dir { getattr search }; 33allow crash_dump apex_art_data_file:file r_file_perms; 34 35# Allow crash dump to read bootstrap libraries 36allow crash_dump system_bootstrap_lib_file:dir { getattr search }; 37allow crash_dump system_bootstrap_lib_file:file r_file_perms; 38 39# Read Vendor APEX directories 40allow crash_dump vendor_apex_metadata_file:dir { getattr search }; 41 42### 43### neverallow assertions 44### 45 46# sigchld not explicitly forbidden since it's part of the 47# domain-transition-on-exec macros, and is by itself not sensitive 48neverallow crash_dump { 49 apexd 50 userdebug_or_eng(`-apexd') 51 bpfloader 52 init 53 kernel 54 keystore 55 userdebug_or_eng(`-keystore') 56 llkd 57 userdebug_or_eng(`-llkd') 58 logd 59 userdebug_or_eng(`-logd') 60 ueventd 61 vendor_init 62 vold 63 userdebug_or_eng(`-vold') 64}:process { ptrace signal sigstop sigkill }; 65 66neverallow crash_dump self:process ptrace; 67neverallow crash_dump gpu_device:chr_file *; 68