1# dumpstate 2type dumpstate, domain, mlstrustedsubject; 3type dumpstate_exec, exec_type, file_type; 4 5net_domain(dumpstate) 6binder_use(dumpstate) 7wakelock_use(dumpstate) 8 9# Allow setting process priority, protect from OOM killer, and dropping 10# privileges by switching UID / GID 11allow dumpstate self:capability { setuid setgid sys_resource }; 12 13# Allow dumpstate to scan through /proc/pid for all processes 14r_dir_file(dumpstate, domain) 15 16allow dumpstate self:capability { 17 # Send signals to processes 18 kill 19 # Run iptables 20 net_raw 21 net_admin 22}; 23 24# Allow executing files on system, such as: 25# /system/bin/toolbox 26# /system/bin/logcat 27# /system/bin/dumpsys 28allow dumpstate system_file:file execute_no_trans; 29not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;') 30allow dumpstate toolbox_exec:file rx_file_perms; 31 32# Create and write into /data/anr/ 33allow dumpstate self:capability { dac_override chown fowner fsetid }; 34allow dumpstate anr_data_file:dir rw_dir_perms; 35allow dumpstate anr_data_file:file create_file_perms; 36 37# Allow reading /data/system/uiderrors.txt 38# TODO: scope this down. 39allow dumpstate system_data_file:file r_file_perms; 40 41# Read dmesg 42allow dumpstate self:capability2 syslog; 43allow dumpstate kernel:system syslog_read; 44 45# Read /sys/fs/pstore/console-ramoops 46allow dumpstate pstorefs:dir r_dir_perms; 47allow dumpstate pstorefs:file r_file_perms; 48 49# Get process attributes 50allow dumpstate domain:process getattr; 51 52# Signal java processes to dump their stack 53allow dumpstate { appdomain system_server }:process signal; 54 55# Signal native processes to dump their stack. 56allow dumpstate { 57 # This list comes from native_processes_to_dump in dumpstate/utils.c 58 audioserver 59 cameraserver 60 drmserver 61 inputflinger 62 mediadrmserver 63 mediaextractor 64 mediaserver 65 sdcardd 66 surfaceflinger 67 68 # This list comes from hal_interfaces_to_dump in dumpstate/utils.c 69 hal_audio_server 70 hal_bluetooth_server 71 hal_camera_server 72 hal_graphics_composer_server 73 hal_vr_server 74 mediacodec # TODO(b/36375899): hal_omx_server 75}:process signal; 76 77# Connect to tombstoned to intercept dumps. 78unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned) 79 80# TODO: added to match above sysfs rule. Remove me? 81allow dumpstate sysfs_usb:file w_file_perms; 82 83# Other random bits of data we want to collect 84allow dumpstate qtaguid_proc:file r_file_perms; 85allow dumpstate debugfs:file r_file_perms; 86# df for /storage/emulated needs search 87allow dumpstate { storage_file block_device }:dir { search getattr }; 88allow dumpstate fuse_device:chr_file getattr; 89allow dumpstate { dm_device cache_block_device }:blk_file getattr; 90 91# Read /dev/cpuctl and /dev/cpuset 92r_dir_file(dumpstate, cgroup) 93 94# Allow dumpstate to make binder calls to any binder service 95binder_call(dumpstate, binderservicedomain) 96binder_call(dumpstate, { appdomain netd wificond }) 97 98hal_client_domain(dumpstate, hal_dumpstate) 99hal_client_domain(dumpstate, hal_graphics_allocator) 100# Vibrate the device after we are done collecting the bugreport 101hal_client_domain(dumpstate, hal_vibrator) 102# For passthrough mode: 103allow dumpstate sysfs_vibrator:file { rw_file_perms getattr }; 104 105# Reading /proc/PID/maps of other processes 106allow dumpstate self:capability sys_ptrace; 107 108# Allow the bugreport service to create a file in 109# /data/data/com.android.shell/files/bugreports/bugreport 110allow dumpstate shell_data_file:dir create_dir_perms; 111allow dumpstate shell_data_file:file create_file_perms; 112 113# Run a shell. 114allow dumpstate shell_exec:file rx_file_perms; 115 116# For running am and similar framework commands. 117# Run /system/bin/app_process. 118allow dumpstate zygote_exec:file rx_file_perms; 119# Dalvik Compiler JIT. 120allow dumpstate ashmem_device:chr_file execute; 121allow dumpstate self:process execmem; 122# For art. 123allow dumpstate dalvikcache_data_file:dir { search getattr }; 124allow dumpstate dalvikcache_data_file:file { r_file_perms execute }; 125allow dumpstate dalvikcache_data_file:lnk_file r_file_perms; 126 127# For Bluetooth 128allow dumpstate bluetooth_data_file:dir search; 129allow dumpstate bluetooth_logs_data_file:dir r_dir_perms; 130allow dumpstate bluetooth_logs_data_file:file r_file_perms; 131 132# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access 133allow dumpstate gpu_device:chr_file rw_file_perms; 134 135# logd access 136read_logd(dumpstate) 137control_logd(dumpstate) 138read_runtime_log_tags(dumpstate) 139 140# Read /proc/net 141allow dumpstate proc_net:file r_file_perms; 142 143# Read network state info files. 144allow dumpstate net_data_file:dir search; 145allow dumpstate net_data_file:file r_file_perms; 146 147# List sockets via ss. 148allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; 149 150# Access /data/tombstones. 151allow dumpstate tombstone_data_file:dir r_dir_perms; 152allow dumpstate tombstone_data_file:file r_file_perms; 153 154# Access /cache/recovery 155allow dumpstate cache_recovery_file:dir r_dir_perms; 156allow dumpstate cache_recovery_file:file r_file_perms; 157 158# Access /data/misc/recovery 159allow dumpstate recovery_data_file:dir r_dir_perms; 160allow dumpstate recovery_data_file:file r_file_perms; 161 162# Access /data/misc/profiles/{cur,ref}/ 163userdebug_or_eng(` 164 allow dumpstate user_profile_data_file:dir r_dir_perms; 165 allow dumpstate user_profile_data_file:file r_file_perms; 166') 167 168# Access /data/misc/logd 169userdebug_or_eng(` 170 allow dumpstate misc_logd_file:dir r_dir_perms; 171 allow dumpstate misc_logd_file:file r_file_perms; 172') 173 174allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find; 175allow dumpstate servicemanager:service_manager list; 176allow dumpstate hwservicemanager:hwservice_manager list; 177 178allow dumpstate devpts:chr_file rw_file_perms; 179 180# Set properties. 181# dumpstate_prop is used to share state with the Shell app. 182set_prop(dumpstate, dumpstate_prop) 183# dumpstate_options_prop is used to pass extra command-line args. 184set_prop(dumpstate, dumpstate_options_prop) 185 186# Read device's serial number from system properties 187get_prop(dumpstate, serialno_prop) 188 189# Read state of logging-related properties 190get_prop(dumpstate, device_logging_prop) 191 192# Access to /data/media. 193# This should be removed if sdcardfs is modified to alter the secontext for its 194# accesses to the underlying FS. 195allow dumpstate media_rw_data_file:dir getattr; 196allow dumpstate proc_interrupts:file r_file_perms; 197allow dumpstate proc_zoneinfo:file r_file_perms; 198 199# Create a service for talking back to system_server 200add_service(dumpstate, dumpstate_service) 201 202### 203### neverallow rules 204### 205 206# dumpstate has capability sys_ptrace, but should only use that capability for 207# accessing sensitive /proc/PID files, never for using ptrace attach. 208neverallow dumpstate *:process ptrace; 209 210# only system_server, dumpstate and shell can find the dumpstate service 211neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find; 212 213# Dumpstate should not be writing to any generically labeled sysfs files. 214# Create a specific label for the file type 215neverallow dumpstate sysfs:file no_w_file_perms; 216