xref: /aosp_15_r20/system/sepolicy/prebuilts/api/202404/public/dumpstate.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# dumpstate
2type dumpstate, domain, mlstrustedsubject;
3type dumpstate_exec, system_file_type, exec_type, file_type;
4
5net_domain(dumpstate)
6binder_use(dumpstate)
7wakelock_use(dumpstate)
8
9# Allow setting process priority, protect from OOM killer, and dropping
10# privileges by switching UID / GID
11allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
12
13# Allow dumpstate to scan through /proc/pid for all processes
14r_dir_file(dumpstate, domain)
15
16allow dumpstate self:global_capability_class_set {
17    # Send signals to processes
18    kill
19    # Run iptables
20    net_raw
21    net_admin
22};
23
24# Allow executing files on system, such as:
25#   /system/bin/toolbox
26#   /system/bin/logcat
27#   /system/bin/dumpsys
28allow dumpstate system_file:file execute_no_trans;
29not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
30allow dumpstate toolbox_exec:file rx_file_perms;
31
32# hidl searches for files in /system/lib(64)/hw/
33allow dumpstate system_file:dir r_dir_perms;
34
35# Create and write into /data/anr/
36allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
37allow dumpstate anr_data_file:dir rw_dir_perms;
38allow dumpstate anr_data_file:file create_file_perms;
39
40# Allow reading /data/system/uiderrors.txt
41# TODO: scope this down.
42allow dumpstate system_data_file:file r_file_perms;
43
44# Allow dumpstate to append into apps' private files.
45allow dumpstate { privapp_data_file app_data_file }:file append;
46
47# Read dmesg
48allow dumpstate self:global_capability2_class_set syslog;
49allow dumpstate kernel:system syslog_read;
50
51# Read /sys/fs/pstore/console-ramoops
52allow dumpstate pstorefs:dir r_dir_perms;
53allow dumpstate pstorefs:file r_file_perms;
54
55# Get process attributes
56allow dumpstate domain:process getattr;
57
58# Signal java processes to dump their stack
59allow dumpstate { appdomain system_server zygote app_zygote }:process signal;
60
61# Signal native processes to dump their stack.
62allow dumpstate {
63  # This list comes from native_processes_to_dump in dumputils/dump_utils.c
64  audioserver
65  cameraserver
66  drmserver
67  inputflinger
68  mediadrmserver
69  mediaextractor
70  mediametrics
71  mediaserver
72  mediaswcodec
73  sdcardd
74  surfaceflinger
75  vold
76
77  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
78  evsmanagerd
79  hal_audio_server
80  hal_audiocontrol_server
81  hal_bluetooth_server
82  hal_broadcastradio_server
83  hal_camera_server
84  hal_codec2_server
85  hal_drm_server
86  hal_evs_server
87  hal_face_server
88  hal_fingerprint_server
89  hal_graphics_allocator_server
90  hal_graphics_composer_server
91  hal_health_server
92  hal_input_processor_server
93  hal_neuralnetworks_server
94  hal_omx_server
95  hal_power_server
96  hal_power_stats_server
97  hal_sensors_server
98  hal_thermal_server
99  hal_vehicle_server
100  hal_vr_server
101  system_suspend_server
102}:process signal;
103
104# Connect to tombstoned to intercept dumps.
105unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
106
107# Access to /sys
108allow dumpstate sysfs_type:dir r_dir_perms;
109
110allow dumpstate {
111  sysfs_devices_block
112  sysfs_dm
113  sysfs_loop
114  sysfs_usb
115  sysfs_zram
116}:file r_file_perms;
117
118# Ignore other file access under /sys.
119dontaudit dumpstate sysfs:file r_file_perms;
120
121# Other random bits of data we want to collect
122no_debugfs_restriction(`
123  allow dumpstate debugfs:file r_file_perms;
124  auditallow dumpstate debugfs:file r_file_perms;
125
126  allow dumpstate debugfs_mmc:file r_file_perms;
127')
128
129# df for
130allow dumpstate {
131  block_device
132  cache_file
133  metadata_file
134  rootfs
135  selinuxfs
136  storage_file
137  tmpfs
138}:dir { search getattr };
139allow dumpstate fuse_device:chr_file getattr;
140allow dumpstate { dm_device cache_block_device }:blk_file getattr;
141allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
142
143# Read /dev/cpuctl and /dev/cpuset
144r_dir_file(dumpstate, cgroup)
145r_dir_file(dumpstate, cgroup_v2)
146
147# Allow dumpstate to make binder calls to any binder service
148binder_call(dumpstate, binderservicedomain)
149binder_call(dumpstate, { appdomain artd netd wificond })
150
151# Allow dumpstate to call dump() on specific hals.
152dump_hal(hal_audio)
153dump_hal(hal_audiocontrol)
154dump_hal(hal_authgraph)
155dump_hal(hal_authsecret)
156dump_hal(hal_bluetooth)
157dump_hal(hal_broadcastradio)
158dump_hal(hal_camera)
159dump_hal(hal_codec2)
160dump_hal(hal_contexthub)
161dump_hal(hal_drm)
162dump_hal(hal_dumpstate)
163dump_hal(hal_evs)
164dump_hal(hal_face)
165dump_hal(hal_fingerprint)
166dump_hal(hal_gnss)
167dump_hal(hal_graphics_allocator)
168dump_hal(hal_graphics_composer)
169dump_hal(hal_health)
170dump_hal(hal_identity)
171dump_hal(hal_input_processor)
172dump_hal(hal_keymint)
173dump_hal(hal_light)
174dump_hal(hal_memtrack)
175dump_hal(hal_neuralnetworks)
176dump_hal(hal_nfc)
177dump_hal(hal_oemlock)
178dump_hal(hal_power)
179dump_hal(hal_power_stats)
180dump_hal(hal_rebootescrow)
181dump_hal(hal_secretkeeper)
182dump_hal(hal_sensors)
183dump_hal(hal_thermal)
184dump_hal(hal_vehicle)
185dump_hal(hal_weaver)
186dump_hal(hal_wifi)
187
188# Vibrate the device after we are done collecting the bugreport
189hal_client_domain(dumpstate, hal_vibrator)
190
191# Reading /proc/PID/maps of other processes
192allow dumpstate self:global_capability_class_set sys_ptrace;
193
194# Allow the bugreport service to create a file in
195# /data/data/com.android.shell/files/bugreports/bugreport
196allow dumpstate shell_data_file:dir create_dir_perms;
197allow dumpstate shell_data_file:file create_file_perms;
198
199# Run a shell.
200allow dumpstate shell_exec:file rx_file_perms;
201
202# For running am and similar framework commands.
203# Run /system/bin/app_process.
204allow dumpstate zygote_exec:file rx_file_perms;
205
206# For Bluetooth
207allow dumpstate bluetooth_data_file:dir search;
208allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
209allow dumpstate bluetooth_logs_data_file:file r_file_perms;
210
211# For Nfc
212allow dumpstate nfc_logs_data_file:dir r_dir_perms;
213allow dumpstate nfc_logs_data_file:file r_file_perms;
214
215# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
216allow dumpstate gpu_device:chr_file rw_file_perms;
217allow dumpstate gpu_device:dir r_dir_perms;
218
219# logd access
220read_logd(dumpstate)
221control_logd(dumpstate)
222read_runtime_log_tags(dumpstate)
223
224# Read files in /proc
225allow dumpstate {
226  proc_bootconfig
227  proc_buddyinfo
228  proc_cmdline
229  proc_meminfo
230  proc_modules
231  proc_net_type
232  proc_pipe_conf
233  proc_pagetypeinfo
234  proc_qtaguid_ctrl
235  proc_qtaguid_stat
236  proc_slabinfo
237  proc_version
238  proc_vmallocinfo
239  proc_vmstat
240}:file r_file_perms;
241
242# Read network state info files.
243allow dumpstate net_data_file:dir search;
244allow dumpstate net_data_file:file r_file_perms;
245
246# List sockets via ss.
247allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
248
249# Access /data/tombstones.
250allow dumpstate tombstone_data_file:dir r_dir_perms;
251allow dumpstate tombstone_data_file:file r_file_perms;
252
253# Access /cache/recovery
254allow dumpstate cache_recovery_file:dir r_dir_perms;
255allow dumpstate cache_recovery_file:file r_file_perms;
256
257# Access /data/misc/recovery
258allow dumpstate recovery_data_file:dir r_dir_perms;
259allow dumpstate recovery_data_file:file r_file_perms;
260
261# Access /data/misc/update_engine & /data/misc/update_engine_log
262allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
263allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
264# Access /data/misc/snapuserd_log
265allow dumpstate snapuserd_log_data_file:dir r_dir_perms;
266allow dumpstate snapuserd_log_data_file:file r_file_perms;
267
268# Access /data/misc/profiles/{cur,ref}/
269userdebug_or_eng(`
270  allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
271  allow dumpstate user_profile_data_file:file r_file_perms;
272')
273
274# Access /data/misc/logd
275allow dumpstate misc_logd_file:dir r_dir_perms;
276allow dumpstate misc_logd_file:file r_file_perms;
277
278# Access /data/misc/prereboot
279allow dumpstate prereboot_data_file:dir r_dir_perms;
280allow dumpstate prereboot_data_file:file r_file_perms;
281
282allow dumpstate app_fuse_file:dir r_dir_perms;
283allow dumpstate overlayfs_file:dir r_dir_perms;
284
285allow dumpstate {
286  service_manager_type
287  -apex_service
288  -dumpstate_service
289  -gatekeeper_service
290  -hal_service_type
291  -virtual_touchpad_service
292  -vold_service
293  -default_android_service
294}:service_manager find;
295# suppress denials for services dumpstate should not be accessing.
296dontaudit dumpstate {
297  apex_service
298  dumpstate_service
299  gatekeeper_service
300  hal_service_type
301  virtual_touchpad_service
302  vold_service
303}:service_manager find;
304
305# Most of these are neverallowed.
306dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
307
308allow dumpstate servicemanager:service_manager list;
309allow dumpstate hwservicemanager:hwservice_manager list;
310
311allow dumpstate devpts:chr_file rw_file_perms;
312
313# Read any system properties
314get_prop(dumpstate, property_type)
315
316# Access to /data/media.
317# This should be removed if sdcardfs is modified to alter the secontext for its
318# accesses to the underlying FS.
319allow dumpstate media_rw_data_file:dir getattr;
320allow dumpstate proc_interrupts:file r_file_perms;
321allow dumpstate proc_zoneinfo:file r_file_perms;
322
323# Create a service for talking back to system_server
324add_service(dumpstate, dumpstate_service)
325
326# use /dev/ion for screen capture
327allow dumpstate ion_device:chr_file r_file_perms;
328
329# Allow dumpstate to run top
330allow dumpstate proc_stat:file r_file_perms;
331
332allow dumpstate proc_pressure_cpu:file r_file_perms;
333allow dumpstate proc_pressure_mem:file r_file_perms;
334allow dumpstate proc_pressure_io:file r_file_perms;
335
336# Allow dumpstate to run ps
337allow dumpstate proc_pid_max:file r_file_perms;
338
339# Allow dumpstate to talk to installd over binder
340binder_call(dumpstate, installd);
341
342# Allow dumpstate to run ip xfrm policy
343allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
344
345# Allow dumpstate to run iotop
346allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
347# newer kernels (e.g. 4.4) have a new class for sockets
348allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
349
350# Allow dumpstate to run ss
351allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
352
353# Allow dumpstate to read linkerconfig directory
354allow dumpstate linkerconfig_file:dir { read open };
355
356# For when dumpstate runs df
357dontaudit dumpstate {
358  mnt_vendor_file
359  mirror_data_file
360  mnt_user_file
361  mnt_product_file
362}:dir search;
363dontaudit dumpstate {
364  apex_mnt_dir
365  linkerconfig_file
366  mirror_data_file
367  mnt_user_file
368}:dir getattr;
369
370# Allow dumpstate to talk to bufferhubd over binder
371binder_call(dumpstate, bufferhubd);
372
373# Allow dumpstate to talk to mediaswcodec over binder
374binder_call(dumpstate, mediaswcodec);
375
376#Access /data/misc/snapshotctl_log
377allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
378allow dumpstate snapshotctl_log_data_file:file r_file_perms;
379
380#Allow access to /dev/binderfs/binder_logs
381allow dumpstate binderfs_logs:dir r_dir_perms;
382allow dumpstate binderfs_logs:file r_file_perms;
383allow dumpstate binderfs_logs_proc:file r_file_perms;
384allow dumpstate binderfs_logs_stats:file r_file_perms;
385
386use_apex_info(dumpstate)
387
388# Allow reading files under /data/system/shutdown-checkpoints/
389allow dumpstate shutdown_checkpoints_system_data_file:dir r_dir_perms;
390allow dumpstate shutdown_checkpoints_system_data_file:file r_file_perms;
391
392###
393### neverallow rules
394###
395
396# dumpstate has capability sys_ptrace, but should only use that capability for
397# accessing sensitive /proc/PID files, never for using ptrace attach.
398neverallow dumpstate *:process ptrace;
399
400# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
401neverallow {
402  domain
403  -system_server
404  -shell
405  -traceur_app
406  -dumpstate
407} dumpstate_service:service_manager find;
408