xref: /aosp_15_r20/system/sepolicy/private/crash_dump.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1typeattribute crash_dump coredomain;
2
3# Crash dump does not need to access devices passed across exec().
4dontaudit crash_dump { devpts dev_type }:chr_file { read write };
5
6allow crash_dump {
7  domain
8  -apexd
9  -bpfloader
10  -crash_dump
11  -init
12  -kernel
13  -keystore
14  -llkd
15  -logd
16  -ueventd
17  -vendor_init
18  -vold
19}:process { ptrace signal sigchld sigstop sigkill };
20
21userdebug_or_eng(`
22  allow crash_dump { apexd llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
23')
24
25# Read ART APEX data directory
26allow crash_dump apex_art_data_file:dir { getattr search };
27allow crash_dump apex_art_data_file:file r_file_perms;
28
29# Allow crash dump to read bootstrap libraries
30allow crash_dump system_bootstrap_lib_file:dir { getattr search };
31allow crash_dump system_bootstrap_lib_file:file r_file_perms;
32
33# Read Vendor APEX directories
34allow crash_dump vendor_apex_metadata_file:dir { getattr search };
35
36# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
37# which will result in an audit log even when it's allowed to trace.
38dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
39
40userdebug_or_eng(`
41  allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
42
43  # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
44  allow crash_dump kmsg_debug_device:chr_file { open append };
45')
46
47# Use inherited file descriptors
48allow crash_dump domain:fd use;
49
50# Read/write IPC pipes inherited from crashing processes.
51allow crash_dump domain:fifo_file { read write };
52
53# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
54allow crash_dump domain:fifo_file { append };
55
56# Read information from /proc/$PID.
57allow crash_dump domain:process getattr;
58
59r_dir_file(crash_dump, domain)
60allow crash_dump exec_type:file r_file_perms;
61
62# Read /data/dalvik-cache.
63allow crash_dump dalvikcache_data_file:dir { search getattr };
64allow crash_dump dalvikcache_data_file:file r_file_perms;
65
66# Read APEX data directories.
67allow crash_dump apex_module_data_file:dir { getattr search };
68
69# Read uptime
70allow crash_dump proc_uptime:file r_file_perms;
71
72# Read APK files.
73r_dir_file(crash_dump, apk_data_file);
74
75# Read all /vendor
76r_dir_file(crash_dump, { vendor_file same_process_hal_file })
77
78# Read all /data/local/tests
79r_dir_file(crash_dump, shell_test_data_file)
80
81# Talk to tombstoned
82unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
83
84# Talk to ActivityManager.
85unix_socket_connect(crash_dump, system_ndebug, system_server)
86
87# Append to ANR files.
88allow crash_dump anr_data_file:file { append getattr };
89
90# Append to tombstone files.
91allow crash_dump tombstone_data_file:file { append getattr };
92
93# crash_dump writes out logcat logs at the bottom of tombstones,
94# which is super useful in some cases.
95unix_socket_connect(crash_dump, logdr, logd)
96
97# Crash dump is not intended to access the following files. Since these
98# are WAI, suppress the denials to clean up the logs.
99dontaudit crash_dump {
100  core_data_file_type
101  vendor_file_type
102}:dir search;
103# Crash dump might try to read files that are mapped into the crashed process's
104# memory space to extract useful binary information such as the ELF header. See
105# system/core/debuggerd/libdebuggerd/tombstone_proto.cpp:dump_mappings.
106# Ignore these accesses.
107dontaudit crash_dump {
108  app_data_file_type
109  property_type
110  system_data_file
111}:{ lnk_file file } { read open };
112
113get_prop(crash_dump, misctrl_prop)
114
115###
116### neverallow assertions
117###
118
119# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
120# Do not allow the execution of crash_dump without a domain transition.
121neverallow domain crash_dump_exec:file execute_no_trans;
122
123# sigchld not explicitly forbidden since it's part of the
124# domain-transition-on-exec macros, and is by itself not sensitive
125neverallow crash_dump {
126  apexd
127  userdebug_or_eng(`-apexd')
128  bpfloader
129  init
130  kernel
131  keystore
132  llkd
133  userdebug_or_eng(`-llkd')
134  logd
135  userdebug_or_eng(`-logd')
136  ueventd
137  vendor_init
138  vold
139  userdebug_or_eng(`-vold')
140}:process { ptrace signal sigstop sigkill };
141
142neverallow crash_dump self:process ptrace;
143neverallow crash_dump gpu_device:chr_file *;
144