1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14################### 15## Macro define: ## 16################### 17define(`use_processdump', ` 18 allow $1 processdump_exec:file { execute getattr map open read }; 19') 20 21define(`processdump_cmd', ` 22 allow processdump $1:file { getattr map open read }; 23') 24 25######################## 26## processdump rules: ## 27######################## 28use_processdump({ domain -init -kernel }) 29processdump_cmd({ 30 app_el1_bundle_public 31 arkcompiler_param 32 ark_writeable_param 33 chip_prod_file 34 data_app_el1_file # remove later 35 data_file 36 data_service_el1_file 37 dev_parameters_file 38 domain 39 exec_attr 40 foundation 41 sys_prod_file 42 system_bin_file 43 system_file 44 system_lib_file 45 system_usr_file 46 vendor_bin_file 47 vendor_file 48 vendor_lib_file 49}) 50 51#============= domain ================= 52allow domain processdump:process { share sigchld }; 53allow domain self:fifo_file { write }; 54allow domain system_bin_file:dir { search }; 55allow processdump { domain -processdump -kernel }:process { ptrace sigstop }; 56allow processdump domain:fd use; 57allow processdump domain:fifo_file { read write }; 58allow processdump domain:dir { getattr open read search }; 59allow processdump domain:lnk_file { read }; 60 61#============= write event to hiview ========= 62allow processdump hiview:binder { call transfer }; 63allow processdump samgr:binder { call }; 64allow processdump hiview:unix_dgram_socket { sendto }; 65 66#============= for faultloggerd =========== 67allow processdump faultloggerd_temp_file:file { getattr open read write }; 68allow processdump faultloggerd:fd { use }; 69allow processdump faultloggerd:unix_stream_socket { connectto }; 70allow processdump faultloggerd_socket:sock_file write; 71 72#============= processdump ============== 73allow processdump processdump_exec:file { entrypoint }; 74allow processdump processdump:process { fork }; 75allow processdump processdump:dir { search }; 76allow processdump processdump:lnk_file { read }; 77allow processdump processdump:unix_dgram_socket { create connect write }; 78allow processdump processdump:unix_stream_socket { create setopt connect write read }; 79allow processdump data_app_el1_arkcache:file { getattr open read map }; 80allow processdump data_app_el1_arkcache:dir { search }; 81allow processdump data_local_tmp:file { getattr map open read }; 82 83developer_only(` 84allow processdump data_local_tmp:dir { search }; 85allow processdump data_local:dir { search }; 86') 87 88#============ hidumper ============== 89allow processdump hidumper_service:fifo_file ioctl; 90 91#============ normal_hap ================= 92allow processdump normal_hap_attr:dir { getattr open read search }; 93allow processdump normal_hap_attr:file { getattr open read }; 94allow processdump app_el1_bundle_public:dir search; 95allow processdump data_app_el1_file:dir search; # remove later 96allow processdump normal_hap_data_file:file { read write append create open map }; 97allow processdump normal_hap_data_file:dir { write add_name search }; 98allow processdump debug_hap_data_file:file { read write append create open map }; 99allow processdump debug_hap_data_file:dir { write add_name search }; 100 101#============ hap_domain ================ 102allow processdump hap_domain:lnk_file { read }; 103 104#============= for hdcd ================ 105allow processdump hdcd:fd use; 106allow processdump hdcd:fifo_file { read write }; 107allow processdump hdcd:file { getattr open read }; 108allow processdump hdcd:process ptrace; 109allow processdump hdcd:unix_stream_socket { read write }; 110 111#============= devpts && tty =========== 112allow processdump devpts:chr_file { read write }; 113allow processdump tty_device:chr_file { read write }; 114 115#============= init ================ 116allow processdump init:dir { getattr open read search }; 117allow processdump init:file { getattr open read }; 118allow processdump init:netlink_kobject_uevent_socket { read write }; 119allow processdump init:unix_dgram_socket { sendto }; 120allow processdump init:unix_stream_socket { read write connectto }; 121 122#============ foundation =========== 123allow processdump foundation:dir { getattr open read search }; 124allow processdump foundation:binder { call transfer }; 125allow processdump sa_foundation_abilityms:samgr_class { get }; 126allow processdump sa_foundation_bms:samgr_class { get }; 127 128#============ data_xxx ================== 129allow processdump data_file:dir search; 130allow processdump data_init_agent:file { append ioctl open read }; 131allow processdump data_init_agent:dir search; 132 133#============ dev_xxx =================== 134allow processdump dev_file:dir { search }; 135allow processdump dev_null_file:chr_file { read write }; 136allow processdump dev_parameters_file:dir { search }; 137allow processdump dev_unix_file:dir { search }; 138allow processdump dev_unix_socket:dir search; 139allow processdump dev_unix_socket:sock_file write; 140 141#============ sys_xxx ================= 142allow processdump sys_prod_file:dir { search }; 143 144#============ system_xxx ================= 145allow processdump system_bin_file:dir search; 146allow processdump system_etc_file:dir { getattr open read search }; 147allow processdump system_etc_file:file { getattr open read }; 148allow processdump system_file:dir { search }; 149allow processdump system_lib_file:dir { search }; 150allow processdump system_usr_file:dir { search }; 151 152#============ vendor_xxx ================= 153allow processdump vendor_file:dir { getattr open read search }; 154allow processdump vendor_bin_file:dir search; 155allow processdump vendor_lib_file:dir search; 156 157#============ proc_file & tmpfs & debugfs =================== 158allow processdump proc_file:dir { search }; 159allow processdump proc_file:lnk_file { read }; 160allow processdump tmpfs:dir { search }; 161allow processdump tmpfs:lnk_file { read }; 162allow processdump debugfs:dir { search }; 163 164#============ chip_prod_file =================== 165allow processdump chip_prod_file:dir { search }; 166 167############################ 168## neverallow assertions: ## 169############################ 170neverallow processdump self:process ptrace; 171neverallow processdump domain:capability sys_ptrace; 172neverallow domain processdump:process noatsecure; 173neverallow domain processdump_exec:file execute_no_trans; 174 175allow processdump hiviewdfx_hiview_param:file { map open read }; 176 177allow processdump dev_bbox:chr_file { ioctl open write }; 178allowxperm processdump dev_bbox:chr_file ioctl 0xab09; 179 180#============= dev_lperf =================== 181allow init dev_lperf:chr_file { getattr setattr }; 182allow processdump dev_lperf:chr_file { ioctl open read write }; 183allowxperm processdump dev_lperf:chr_file ioctl { 0x6c01 0x6c02 0x6c04 }; 184