1# Copyright (c) 2022 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14################### 15## Macro define: ## 16################### 17define(`use_processdump', ` 18 allow $1 processdump_exec:file { execute getattr map open read }; 19') 20 21define(`processdump_cmd', ` 22 allow processdump $1:file { getattr map open read }; 23') 24 25######################## 26## processdump rules: ## 27######################## 28use_processdump({ domain -limit_domain -init -kernel }) 29processdump_cmd({ 30 domain 31 data_file 32 dev_parameters_file 33 exec_attr 34 foundation 35 app_el1_bundle_public 36 data_app_el1_file # remove later 37 vendor_bin_file 38}) 39 40#============= domain ================= 41allow domain processdump:process { share sigchld }; 42allow domain self:fifo_file { write }; 43allow processdump { domain -processdump -kernel }:process ptrace; 44allow processdump domain:fd use; 45allow processdump domain:fifo_file { read write }; 46allow processdump domain:dir { getattr open read search }; 47 48#============= write event to hiview ========= 49allow processdump hiview:binder { call transfer }; 50allow processdump samgr:binder { call }; 51 52#============= for faultloggerd =========== 53allow processdump faultloggerd_temp_file:file { getattr open read write }; 54allow processdump faultloggerd:fd { use }; 55allow processdump faultloggerd:unix_stream_socket { connectto }; 56allow processdump faultloggerd_socket:sock_file write; 57 58#============= processdump ============== 59allow processdump processdump_exec:file { entrypoint }; 60allow processdump processdump:process { fork }; 61allow processdump processdump:dir { search }; 62allow processdump processdump:lnk_file { read }; 63allow processdump processdump:unix_dgram_socket { create connect write }; 64allow processdump processdump:unix_stream_socket { create setopt connect write read }; 65 66#============ hidumper ============== 67allow processdump hidumper_service:fifo_file ioctl; 68 69#============ normal_hap ================= 70allow processdump normal_hap:dir { getattr open read search }; 71allow processdump normal_hap:file { getattr open read }; 72allow processdump app_el1_bundle_public:dir search; 73allow processdump data_app_el1_file:dir search; # remove later 74 75#============= for hdcd ================ 76allow processdump hdcd:fd use; 77allow processdump hdcd:fifo_file { read write }; 78allow processdump hdcd:file { getattr open read }; 79allow processdump hdcd:process ptrace; 80allow processdump hdcd:unix_stream_socket { read write }; 81 82#============= devpts && tty =========== 83allow processdump devpts:chr_file { read write }; 84allow processdump tty_device:chr_file { read write }; 85 86#============= init ================ 87allow processdump init:dir { getattr open read search }; 88allow processdump init:file { getattr open read }; 89allow processdump init:netlink_kobject_uevent_socket { read write }; 90allow processdump init:unix_dgram_socket { sendto }; 91allow processdump init:unix_stream_socket { read write connectto }; 92 93#============ sh & foundation =========== 94allow processdump sh:fd use; 95allow processdump sh:fifo_file ioctl; 96allow processdump foundation:dir { getattr open read search }; 97 98#============ data_xxx ================== 99allow processdump data_init_agent:file { append ioctl open read }; 100allow processdump data_init_agent:dir search; 101allow processdump data_file:dir search; 102 103#============ dev_xxx =================== 104allow processdump dev_file:dir { search }; 105allow processdump dev_null_file:chr_file { read write }; 106allow processdump dev_parameters_file:dir { search }; 107allow processdump dev_unix_file:dir { search }; 108allow processdump dev_unix_socket:dir search; 109allow processdump dev_unix_socket:sock_file write; 110allow processdump dev_unix_socket_file:dir { search }; 111 112#============ system_xxx ================= 113allow processdump system_bin_file:dir search; 114allow processdump system_file:dir { search }; 115allow processdump system_lib_file:dir { search }; 116allow processdump system_lib_file:file { execute getattr map open read }; 117allow processdump system_etc_file:dir { getattr open read search }; 118allow processdump system_etc_file:file { getattr open read }; 119 120#============ vendor_xxx ================= 121allow processdump vendor_file:file { getattr map open read }; 122allow processdump vendor_file:dir { getattr open read search }; 123allow processdump vendor_bin_file:dir search; 124 125#============ proc_file & tmpfs & debugfs =================== 126allow processdump proc_file:dir { search }; 127allow processdump proc_file:lnk_file { read }; 128allow processdump tmpfs:dir { search }; 129allow processdump tmpfs:lnk_file { read }; 130allow processdump debugfs:dir { search }; 131 132############################ 133## neverallow assertions: ## 134############################ 135neverallow processdump self:process ptrace; 136neverallow domain processdump:process noatsecure; 137neverallow domain processdump_exec:file execute_no_trans; 138