1# ============================================== 2# MTK Policy Rule 3# ============================================== 4 5typeattribute crash_dump mlstrustedsubject; 6 7# /porc/pid/ 8allow crash_dump appdomain:dir r_dir_perms; 9allow crash_dump coredomain:dir r_dir_perms; 10 11# AED start: /dev/block/expdb 12allow crash_dump block_device:dir search; 13 14# aee db dir and db files 15allow crash_dump sdcard_type:dir create_dir_perms; 16allow crash_dump sdcard_type:file create_file_perms; 17 18#data/anr 19allow crash_dump anr_data_file:dir create_dir_perms; 20allow crash_dump anr_data_file:file create_file_perms; 21 22allow crash_dump domain:process { getattr getsched }; 23allow crash_dump domain:lnk_file getattr; 24 25#core-pattern 26allow crash_dump usermodehelper:file r_file_perms; 27 28#suid_dumpable. this is neverallow 29#allow crash_dump proc_security:file r_file_perms; 30 31#allow crash_dump call binaries labeled "system_file" under /system/bin/ 32allow crash_dump system_file:file execute_no_trans; 33 34allow crash_dump init:process getsched; 35allow crash_dump kernel:process getsched; 36 37# Date: W15.34 38# Operation: Migration 39# Purpose: For pagemap & pageflags information in NE DB 40userdebug_or_eng(`allow crash_dump self:capability sys_admin;') 41 42# Purpose: allow crash_dump to access toolbox 43allow crash_dump toolbox_exec:file rx_file_perms; 44 45# Purpose: mnt/user/* 46allow crash_dump mnt_user_file:dir search; 47allow crash_dump mnt_user_file:lnk_file read; 48 49allow crash_dump storage_file:dir search; 50allow crash_dump storage_file:lnk_file read; 51 52# Date : WK17.09 53# Operation : AEE UT for Android O 54# Purpose : for AEE module to dump files 55domain_auto_trans(crash_dump, dumpstate_exec, dumpstate) 56 57# Purpose : crash_dump communicate with aee_core_forwarder 58# allow crash_dump aee_core_forwarder:dir search; 59# allow crash_dump aee_core_forwarder:file { read getattr open }; 60 61userdebug_or_eng(` 62 allow crash_dump su:dir {search read open }; 63 allow crash_dump su:file { read getattr open }; 64') 65 66# /data/tombstone 67allow crash_dump tombstone_data_file:dir w_dir_perms; 68allow crash_dump tombstone_data_file:file create_file_perms; 69 70# /proc/pid/ 71allow crash_dump self:capability { fowner chown fsetid sys_nice sys_resource net_admin sys_module setgid setuid kill }; 72 73# system(cmd) aee_dumpstate aee_archive 74allow crash_dump shell_exec:file rx_file_perms; 75 76# PROCESS_FILE_STATE 77allow crash_dump dumpstate:unix_stream_socket { read write ioctl }; 78allow crash_dump dumpstate:dir search; 79allow crash_dump dumpstate:file r_file_perms; 80 81allow crash_dump logdr_socket:sock_file write; 82allow crash_dump logd:unix_stream_socket connectto; 83#allow crash_dump system_ndebug_socket:sock_file write; 84 85# vibrator 86allow crash_dump sysfs_vibrator:file w_file_perms; 87 88# Data : 2017/03/22 89# Operation : add NE flow rule for Android O 90# Purpose : make crash_dump can get specific process NE info 91allow crash_dump domain:dir r_dir_perms; 92allow crash_dump domain:{ file lnk_file } r_file_perms; 93 94allow crash_dump dalvikcache_data_file:dir r_dir_perms; 95#allow crash_dump zygote_exec:file r_file_perms; 96#allow crash_dump init_exec:file r_file_perms; 97 98# Data : 2017/04/06 99# Operation : add selinux rule for crash_dump notify crash_dump 100# Purpose : make crash_dump can get notify from crash_dump 101allow crash_dump crash_dump:dir search; 102allow crash_dump crash_dump:file r_file_perms; 103 104# Purpose : allow crash_dump to read /proc/version 105allow crash_dump proc_version:file { read open }; 106 107# Purpose : allow crash_dump self to sys_nice/chown/kill 108allow crash_dump self:capability { sys_nice chown fowner kill }; 109 110# Purpose: Allow crash_dump to write /sys/kernel/debug/tracing/snapshot 111userdebug_or_eng(`allow crash_dump debugfs_tracing_debug:file { write open };') 112 113# Purpose: Allow crash_dump to read/write /sys/kernel/debug/tracing/tracing_on 114#userdebug_or_eng(` allow crash_dump debugfs_tracing:file { r_file_perms write };') 115 116# Purpose: receive dropbox message 117allow crash_dump dropbox_data_file:file {getattr read}; 118allow crash_dump dropbox_service:service_manager find; 119allow crash_dump servicemanager:binder call; 120allow crash_dump system_server:binder call; 121 122# Purpose: allow crash_dump to read packages.list 123allow crash_dump packages_list_file:file r_file_perms; 124 125# Purpose: Allow crash_dump to read /proc/*/exe 126allow crash_dump system_file_type:file r_file_perms; 127 128# Purpose: crash_dump set property 129set_prop(crash_dump, system_mtk_persist_mtk_aee_prop) 130set_prop(crash_dump, system_mtk_persist_aee_prop) 131set_prop(crash_dump, system_mtk_debug_mtk_aee_prop) 132