type crash_dump, domain;
type crash_dump_exec, exec_type, file_type;

allow crash_dump {
  domain
  -init
  -crash_dump
  -keystore
  -logd
}:process { ptrace signal sigchld sigstop sigkill };

# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
dontaudit crash_dump self:capability { sys_ptrace };

userdebug_or_eng(`
  allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
')

# Use inherited file descriptors
allow crash_dump domain:fd use;

# Write to the IPC pipe inherited from crashing processes.
# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
allow crash_dump domain:fifo_file { write append };

r_dir_file(crash_dump, domain)
allow crash_dump exec_type:file r_file_perms;

# Read /data/dalvik-cache.
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;

# Read APK files.
r_dir_file(crash_dump, apk_data_file);

# Read all /vendor
r_dir_file(crash_dump, { vendor_file same_process_hal_file })

# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)

# Talk to ActivityManager.
unix_socket_connect(crash_dump, system_ndebug, system_server)

# Append to ANR files.
allow crash_dump anr_data_file:file { append getattr };

# Append to tombstone files.
allow crash_dump tombstone_data_file:file { append getattr };

read_logd(crash_dump)

###
### neverallow assertions
###

# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
# Do not allow the execution of crash_dump without a domain transition.
neverallow domain crash_dump_exec:file execute_no_trans;