xref: /aosp_15_r20/system/sepolicy/private/dumpstate.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290)

typeattribute dumpstate coredomain;
type dumpstate_tmpfs, file_type;

init_daemon_domain(dumpstate)

# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)

# Create tmpfs files for using memfd descriptors to get output from child
# processes.
tmpfs_domain(dumpstate)

# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
allow dumpstate system_file:file lock;

allow dumpstate storaged_exec:file rx_file_perms;

# /data/misc/a11ytrace for accessibility traces
userdebug_or_eng(`
  allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
  allow dumpstate accessibility_trace_data_file:file r_file_perms;
')

# /data/misc/wmtrace for wm traces
userdebug_or_eng(`
  allow dumpstate wm_trace_data_file:dir r_dir_perms;
  allow dumpstate wm_trace_data_file:file r_file_perms;
')

# /data/system/dropbox for dropbox entries
userdebug_or_eng(`
  allow dumpstate dropbox_data_file:dir r_dir_perms;
  allow dumpstate dropbox_data_file:file r_file_perms;
')

r_dir_file(dumpstate, aconfig_storage_metadata_file);

# Allow dumpstate to make binder calls to incidentd
binder_call(dumpstate, incidentd)

# Kill incident in case of a timeout
allow dumpstate incident:process { signal sigkill };

# Allow dumpstate to make binder calls to storaged service
binder_call(dumpstate, storaged)

# Allow dumpstate to make binder calls to statsd
binder_call(dumpstate, statsd)

# Allow dumpstate to talk to gpuservice over binder
binder_call(dumpstate, gpuservice);

# Allow dumpstate to talk to idmap over binder
binder_call(dumpstate, idmap);

# Allow dumpstate to talk to profcollectd over binder
userdebug_or_eng(`
  binder_call(dumpstate, profcollectd)
')

# Allow dumpstate to talk to automotive_display_service over binder
binder_call(dumpstate, automotive_display_service)

# Allow dumpstate to talk to virtual_camera service over binder
binder_call(dumpstate, virtual_camera)

# Allow dumpstate to talk to ot_daemon service over binder
binder_call(dumpstate, ot_daemon)

# Collect metrics on boot time created by init
get_prop(dumpstate, boottime_prop)

get_prop(dumpstate, misctrl_prop)

# Signal native processes to dump their stack.
allow dumpstate {
  mediatranscoding
  statsd
  netd
  virtual_camera
  ot_daemon
}:process signal;

# Only allow dumpstate to dump Keystore on debuggable builds.
userdebug_or_eng(`
  allow dumpstate keystore:process signal;
')
dontaudit dumpstate keystore:process { signal };

# For collecting bugreports.
no_debugfs_restriction(`
  allow dumpstate debugfs_wakeup_sources:file r_file_perms;
')

allow dumpstate dev_type:blk_file getattr;
allow dumpstate webview_zygote:process signal;
allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
dontaudit dumpstate update_engine:binder call;

# Read files in /proc
allow dumpstate {
  config_gz
  proc_net_tcp_udp
  proc_pid_max
}:file r_file_perms;

# For comminucating with the system process to do confirmation ui.
binder_call(dumpstate, incidentcompanion_service)

# Set properties.
# dumpstate_prop is used to share state with the Shell app.
set_prop(dumpstate, dumpstate_prop)
set_prop(dumpstate, exported_dumpstate_prop)

# dumpstate_options_prop is used to pass extra command-line args.
set_prop(dumpstate, dumpstate_options_prop)

# Allow dumpstate to kill vendor dumpstate service by init
set_prop(dumpstate, ctl_dumpstate_prop)

# For dumping dynamic partition information.
set_prop(dumpstate, lpdumpd_prop)
binder_call(dumpstate, lpdumpd)

# For dumping hypervisor information.
get_prop(dumpstate, hypervisor_prop)

# For dumping device-mapper and snapshot information.
allow dumpstate gsid_exec:file rx_file_perms;
set_prop(dumpstate, ctl_gsid_prop)
binder_call(dumpstate, gsid)

#Allow access to /dev/binderfs/binder_logs
userdebug_or_eng(`
    allow dumpstate binderfs_logs_transactions:file r_file_perms;
')
dontaudit dumpstate binderfs_logs_transactions:file r_file_perms;
allow dumpstate binderfs_logs_transaction_history:file r_file_perms;

r_dir_file(dumpstate, ota_metadata_file)

# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
# is being recorded, the command above will serialize it into
# /data/misc/perfetto-traces/bugreport/*.pftrace .
domain_auto_trans(dumpstate, perfetto_exec, perfetto)
allow dumpstate perfetto:process signal;
allow dumpstate perfetto_traces_data_file:dir { search };
allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };

# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
# zip file. These rules are to allow perfetto.te to inherit dumpstate's
# /dev/null.
allow perfetto dumpstate_tmpfs:file rw_file_perms;
allow perfetto dumpstate:fd use;

# system_dlkm_file for /system_dlkm partition
allow dumpstate system_dlkm_file:dir getattr;

# Allow dumpstate to execute derive_sdk in its own domain
domain_auto_trans(dumpstate, derive_sdk_exec, derive_sdk)

net_domain(dumpstate)
binder_use(dumpstate)
wakelock_use(dumpstate)

# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };

# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)

allow dumpstate self:global_capability_class_set {
    # Send signals to processes
    kill
    # Run iptables
    net_raw
    net_admin
};

# Allow executing files on system, such as:
#   /system/bin/toolbox
#   /system/bin/logcat
#   /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;
not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
allow dumpstate toolbox_exec:file rx_file_perms;

# hidl searches for files in /system/lib(64)/hw/
allow dumpstate system_file:dir r_dir_perms;

# Create and write into /data/anr/
allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
allow dumpstate anr_data_file:dir rw_dir_perms;
allow dumpstate anr_data_file:file create_file_perms;

# Allow reading /data/system/uiderrors.txt
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;

# Allow dumpstate to append into apps' private files.
allow dumpstate app_data_file_type:file append;

# Read dmesg
allow dumpstate self:global_capability2_class_set syslog;
allow dumpstate kernel:system syslog_read;

# Read /sys/fs/pstore/console-ramoops
allow dumpstate pstorefs:dir r_dir_perms;
allow dumpstate pstorefs:file r_file_perms;

# Get process attributes
allow dumpstate domain:process getattr;

# Signal java processes to dump their stack
allow dumpstate { appdomain system_server zygote app_zygote }:process signal;

# Signal native processes to dump their stack.
allow dumpstate {
  # This list comes from native_processes_to_dump in dumputils/dump_utils.c
  audioserver
  cameraserver
  drmserver
  inputflinger
  mediadrmserver
  mediaextractor
  mediametrics
  mediaserver
  mediaswcodec
  sdcardd
  surfaceflinger
  vold

  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
  evsmanagerd
  hal_audio_server
  hal_audiocontrol_server
  hal_bluetooth_server
  hal_broadcastradio_server
  hal_camera_server
  hal_codec2_server
  hal_drm_server
  hal_evs_server
  hal_face_server
  hal_fingerprint_server
  hal_graphics_allocator_server
  hal_graphics_composer_server
  hal_health_server
  hal_input_processor_server
  hal_neuralnetworks_server
  hal_omx_server
  hal_power_server
  hal_power_stats_server
  hal_sensors_server
  hal_thermal_server
  hal_vehicle_server
  hal_vr_server
  system_suspend_server
}:process signal;

# On userdebug, dumpstate may fork and execute a command as su. Make sure the
# timeout logic is allowed to terminate the child process if necessary.
userdebug_or_eng(`
  allow dumpstate su:process { signal sigkill };
')

# Connect to tombstoned to intercept dumps.
unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)

# Access to /sys
allow dumpstate sysfs_type:dir r_dir_perms;

allow dumpstate {
  sysfs_devices_block
  sysfs_dm
  sysfs_loop
  sysfs_usb
  sysfs_zram
}:file r_file_perms;

# Ignore other file access under /sys.
dontaudit dumpstate sysfs:file r_file_perms;

# Other random bits of data we want to collect
no_debugfs_restriction(`
  allow dumpstate debugfs:file r_file_perms;
  auditallow dumpstate debugfs:file r_file_perms;

  allow dumpstate debugfs_mmc:file r_file_perms;
')

# df for
allow dumpstate {
  block_device
  cache_file
  metadata_file
  rootfs
  selinuxfs
  storage_file
  tmpfs
}:dir { search getattr };
allow dumpstate fuse_device:chr_file getattr;
allow dumpstate { dm_device cache_block_device }:blk_file getattr;
allow dumpstate { cache_file rootfs }:lnk_file { getattr read };

# Read /dev/cpuctl and /dev/cpuset
r_dir_file(dumpstate, cgroup)
r_dir_file(dumpstate, cgroup_v2)

# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, { appdomain artd netd wificond })

# Allow dumpstate to call dump() on specific hals.
dump_hal(hal_audio)
dump_hal(hal_audiocontrol)
dump_hal(hal_authgraph)
dump_hal(hal_authsecret)
dump_hal(hal_bluetooth)
dump_hal(hal_broadcastradio)
dump_hal(hal_camera)
dump_hal(hal_codec2)
dump_hal(hal_contexthub)
dump_hal(hal_drm)
dump_hal(hal_dumpstate)
dump_hal(hal_evs)
dump_hal(hal_face)
dump_hal(hal_fingerprint)
dump_hal(hal_gnss)
dump_hal(hal_graphics_allocator)
dump_hal(hal_graphics_composer)
dump_hal(hal_health)
dump_hal(hal_identity)
dump_hal(hal_input_processor)
dump_hal(hal_keymint)
dump_hal(hal_light)
dump_hal(hal_memtrack)
dump_hal(hal_neuralnetworks)
dump_hal(hal_nfc)
dump_hal(hal_oemlock)
dump_hal(hal_power)
dump_hal(hal_power_stats)
dump_hal(hal_rebootescrow)
dump_hal(hal_secretkeeper)
dump_hal(hal_sensors)
dump_hal(hal_thermal)
dump_hal(hal_vehicle)
dump_hal(hal_weaver)
dump_hal(hal_wifi)

# Vibrate the device after we are done collecting the bugreport
hal_client_domain(dumpstate, hal_vibrator)

# Reading /proc/PID/maps of other processes
allow dumpstate self:global_capability_class_set sys_ptrace;

# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
allow dumpstate shell_data_file:dir create_dir_perms;
allow dumpstate shell_data_file:file create_file_perms;

# Run a shell.
allow dumpstate shell_exec:file rx_file_perms;

# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file rx_file_perms;

# For Bluetooth
allow dumpstate bluetooth_data_file:dir search;
allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
allow dumpstate bluetooth_logs_data_file:file r_file_perms;

# For Nfc
allow dumpstate nfc_logs_data_file:dir r_dir_perms;
allow dumpstate nfc_logs_data_file:file r_file_perms;

# For uwb
allow dumpstate apex_module_data_file:dir search;
allow dumpstate apex_system_server_data_file:dir search;
allow dumpstate apex_uwb_data_file:dir r_dir_perms;
allow dumpstate apex_uwb_data_file:file r_file_perms;

# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;
allow dumpstate gpu_device:dir r_dir_perms;

# logd access
read_logd(dumpstate)
control_logd(dumpstate)
read_runtime_log_tags(dumpstate)

# Read files in /proc
allow dumpstate {
  proc_bootconfig
  proc_buddyinfo
  proc_cmdline
  proc_meminfo
  proc_modules
  proc_net_type
  proc_pipe_conf
  proc_pagetypeinfo
  proc_qtaguid_ctrl
  proc_qtaguid_stat
  proc_slabinfo
  proc_version
  proc_vmallocinfo
  proc_vmstat
}:file r_file_perms;

# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;

# List sockets via ss.
allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };

# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms;

# Access /cache/recovery
allow dumpstate cache_recovery_file:dir r_dir_perms;
allow dumpstate cache_recovery_file:file r_file_perms;

# Access /data/misc/recovery
allow dumpstate recovery_data_file:dir r_dir_perms;
allow dumpstate recovery_data_file:file r_file_perms;

# Access /data/misc/update_engine & /data/misc/update_engine_log
allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
# Access /data/misc/snapuserd_log
allow dumpstate snapuserd_log_data_file:dir r_dir_perms;
allow dumpstate snapuserd_log_data_file:file r_file_perms;

# Access /data/misc/profiles/{cur,ref}/
userdebug_or_eng(`
  allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
  allow dumpstate user_profile_data_file:file r_file_perms;
')

# Access /data/misc/logd
allow dumpstate misc_logd_file:dir r_dir_perms;
allow dumpstate misc_logd_file:file r_file_perms;

# Access /data/misc/prereboot
allow dumpstate prereboot_data_file:dir r_dir_perms;
allow dumpstate prereboot_data_file:file r_file_perms;

allow dumpstate app_fuse_file:dir r_dir_perms;
allow dumpstate overlayfs_file:dir r_dir_perms;

allow dumpstate {
  service_manager_type
  -apex_service
  -dumpstate_service
  -gatekeeper_service
  -hal_service_type
  -virtual_touchpad_service
  -vold_service
  -default_android_service
}:service_manager find;
# suppress denials for services dumpstate should not be accessing.
dontaudit dumpstate {
  apex_service
  dumpstate_service
  gatekeeper_service
  hal_service_type
  virtual_touchpad_service
  vold_service
}:service_manager find;

# Most of these are neverallowed.
dontaudit dumpstate hwservice_manager_type:hwservice_manager find;

allow dumpstate servicemanager:service_manager list;
allow dumpstate hwservicemanager:hwservice_manager list;

allow dumpstate devpts:chr_file rw_file_perms;

# Read any system properties
get_prop(dumpstate, property_type)

# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow dumpstate media_rw_data_file:dir getattr;
allow dumpstate proc_interrupts:file r_file_perms;
allow dumpstate proc_zoneinfo:file r_file_perms;

# Create a service for talking back to system_server
add_service(dumpstate, dumpstate_service)

# use /dev/ion for screen capture
allow dumpstate ion_device:chr_file r_file_perms;

# Allow dumpstate to run top
allow dumpstate proc_stat:file r_file_perms;

allow dumpstate proc_pressure_cpu:file r_file_perms;
allow dumpstate proc_pressure_mem:file r_file_perms;
allow dumpstate proc_pressure_io:file r_file_perms;

# Allow dumpstate to run ps
allow dumpstate proc_pid_max:file r_file_perms;

# Allow dumpstate to talk to installd over binder
binder_call(dumpstate, installd);

# Allow dumpstate to run ip xfrm policy
allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };

# Allow dumpstate to run iotop
allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
# newer kernels (e.g. 4.4) have a new class for sockets
allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;

# Allow dumpstate to run ss
allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;

# Allow dumpstate to read linkerconfig directory
allow dumpstate linkerconfig_file:dir { read open };

# For when dumpstate runs df
dontaudit dumpstate {
  mnt_vendor_file
  mirror_data_file
  mnt_user_file
  mnt_product_file
}:dir search;
dontaudit dumpstate {
  apex_mnt_dir
  linkerconfig_file
  mirror_data_file
  mnt_user_file
  vm_data_file
}:dir getattr;

# Allow dumpstate to talk to bufferhubd over binder
binder_call(dumpstate, bufferhubd);

# Allow dumpstate to talk to mediaswcodec over binder
binder_call(dumpstate, mediaswcodec);

#Access /data/misc/snapshotctl_log
allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
allow dumpstate snapshotctl_log_data_file:file r_file_perms;

#Allow access to /dev/binderfs/binder_logs
allow dumpstate binderfs_logs:dir r_dir_perms;
allow dumpstate binderfs_logs:file r_file_perms;
allow dumpstate binderfs_logs_proc:file r_file_perms;
allow dumpstate binderfs_logs_stats:file r_file_perms;

use_apex_info(dumpstate)

# Allow reading files under /data/system/shutdown-checkpoints/
allow dumpstate shutdown_checkpoints_system_data_file:dir r_dir_perms;
allow dumpstate shutdown_checkpoints_system_data_file:file r_file_perms;

###
### neverallow rules
###

# dumpstate has capability sys_ptrace, but should only use that capability for
# accessing sensitive /proc/PID files, never for using ptrace attach.
neverallow dumpstate *:process ptrace;

# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
neverallow {
  domain
  -system_server
  -shell
  -traceur_app
  -dumpstate
} dumpstate_service:service_manager find;

# only dumpstate, system_server and related others to access apex_uwb_data_file
neverallow {
  domain
  -dumpstate
  -system_server
  -apexd
  -init
  -vold_prepare_subdirs
} apex_uwb_data_file:dir no_rw_file_perms;
neverallow {
  domain
  -dumpstate
  -system_server
  -apexd
  -init
  -vold_prepare_subdirs
} apex_uwb_data_file:file no_rw_file_perms;