• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# dumpstate
2type dumpstate, domain, mlstrustedsubject;
3type dumpstate_exec, system_file_type, exec_type, file_type;
4
5net_domain(dumpstate)
6binder_use(dumpstate)
7wakelock_use(dumpstate)
8
9# Allow setting process priority, protect from OOM killer, and dropping
10# privileges by switching UID / GID
11allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
12
13# Allow dumpstate to scan through /proc/pid for all processes
14r_dir_file(dumpstate, domain)
15
16allow dumpstate self:global_capability_class_set {
17    # Send signals to processes
18    kill
19    # Run iptables
20    net_raw
21    net_admin
22};
23
24# Allow executing files on system, such as:
25#   /system/bin/toolbox
26#   /system/bin/logcat
27#   /system/bin/dumpsys
28allow dumpstate system_file:file execute_no_trans;
29not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
30allow dumpstate toolbox_exec:file rx_file_perms;
31
32# hidl searches for files in /system/lib(64)/hw/
33allow dumpstate system_file:dir r_dir_perms;
34
35# Create and write into /data/anr/
36allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
37allow dumpstate anr_data_file:dir rw_dir_perms;
38allow dumpstate anr_data_file:file create_file_perms;
39
40# Allow reading /data/system/uiderrors.txt
41# TODO: scope this down.
42allow dumpstate system_data_file:file r_file_perms;
43
44# Allow dumpstate to append into privileged apps private files.
45allow dumpstate privapp_data_file:file append;
46
47# Read dmesg
48allow dumpstate self:global_capability2_class_set syslog;
49allow dumpstate kernel:system syslog_read;
50
51# Read /sys/fs/pstore/console-ramoops
52allow dumpstate pstorefs:dir r_dir_perms;
53allow dumpstate pstorefs:file r_file_perms;
54
55# Get process attributes
56allow dumpstate domain:process getattr;
57
58# Signal java processes to dump their stack
59allow dumpstate { appdomain system_server zygote }:process signal;
60
61# Signal native processes to dump their stack.
62allow dumpstate {
63  # This list comes from native_processes_to_dump in dumputils/dump_utils.c
64  audioserver
65  cameraserver
66  drmserver
67  inputflinger
68  mediadrmserver
69  mediaextractor
70  mediametrics
71  mediaserver
72  mediaswcodec
73  sdcardd
74  surfaceflinger
75  vold
76
77  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
78  hal_audio_server
79  hal_bluetooth_server
80  hal_camera_server
81  hal_codec2_server
82  hal_drm_server
83  hal_face_server
84  hal_fingerprint_server
85  hal_graphics_allocator_server
86  hal_graphics_composer_server
87  hal_health_server
88  hal_neuralnetworks_server
89  hal_omx_server
90  hal_power_server
91  hal_power_stats_server
92  hal_sensors_server
93  hal_thermal_server
94  hal_vr_server
95  system_suspend_server
96}:process signal;
97
98# Connect to tombstoned to intercept dumps.
99unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
100
101# Access to /sys
102allow dumpstate sysfs_type:dir r_dir_perms;
103
104allow dumpstate {
105  sysfs_devices_block
106  sysfs_dm
107  sysfs_loop
108  sysfs_usb
109  sysfs_zram
110}:file r_file_perms;
111
112# Other random bits of data we want to collect
113allow dumpstate debugfs:file r_file_perms;
114auditallow dumpstate debugfs:file r_file_perms;
115
116allow dumpstate debugfs_mmc:file r_file_perms;
117
118# df for
119allow dumpstate {
120  block_device
121  cache_file
122  metadata_file
123  rootfs
124  selinuxfs
125  storage_file
126  tmpfs
127}:dir { search getattr };
128allow dumpstate fuse_device:chr_file getattr;
129allow dumpstate { dm_device cache_block_device }:blk_file getattr;
130allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
131
132# Read /dev/cpuctl and /dev/cpuset
133r_dir_file(dumpstate, cgroup)
134
135# Allow dumpstate to make binder calls to any binder service
136binder_call(dumpstate, binderservicedomain)
137binder_call(dumpstate, { appdomain netd wificond })
138
139dump_hal(hal_identity)
140dump_hal(hal_dumpstate)
141dump_hal(hal_wifi)
142dump_hal(hal_graphics_allocator)
143dump_hal(hal_neuralnetworks)
144# Vibrate the device after we are done collecting the bugreport
145hal_client_domain(dumpstate, hal_vibrator)
146
147# Reading /proc/PID/maps of other processes
148allow dumpstate self:global_capability_class_set sys_ptrace;
149
150# Allow the bugreport service to create a file in
151# /data/data/com.android.shell/files/bugreports/bugreport
152allow dumpstate shell_data_file:dir create_dir_perms;
153allow dumpstate shell_data_file:file create_file_perms;
154
155# Run a shell.
156allow dumpstate shell_exec:file rx_file_perms;
157
158# For running am and similar framework commands.
159# Run /system/bin/app_process.
160allow dumpstate zygote_exec:file rx_file_perms;
161
162# For Bluetooth
163allow dumpstate bluetooth_data_file:dir search;
164allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
165allow dumpstate bluetooth_logs_data_file:file r_file_perms;
166
167# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
168allow dumpstate gpu_device:chr_file rw_file_perms;
169
170# logd access
171read_logd(dumpstate)
172control_logd(dumpstate)
173read_runtime_log_tags(dumpstate)
174
175# Read files in /proc
176allow dumpstate {
177  proc_buddyinfo
178  proc_cmdline
179  proc_meminfo
180  proc_modules
181  proc_net_type
182  proc_pipe_conf
183  proc_pagetypeinfo
184  proc_qtaguid_ctrl
185  proc_qtaguid_stat
186  proc_slabinfo
187  proc_version
188  proc_vmallocinfo
189  proc_vmstat
190}:file r_file_perms;
191
192# Read network state info files.
193allow dumpstate net_data_file:dir search;
194allow dumpstate net_data_file:file r_file_perms;
195
196# List sockets via ss.
197allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
198
199# Access /data/tombstones.
200allow dumpstate tombstone_data_file:dir r_dir_perms;
201allow dumpstate tombstone_data_file:file r_file_perms;
202
203# Access /cache/recovery
204allow dumpstate cache_recovery_file:dir r_dir_perms;
205allow dumpstate cache_recovery_file:file r_file_perms;
206
207# Access /data/misc/recovery
208allow dumpstate recovery_data_file:dir r_dir_perms;
209allow dumpstate recovery_data_file:file r_file_perms;
210
211#Access /data/misc/update_engine_log
212allow dumpstate update_engine_log_data_file:dir r_dir_perms;
213allow dumpstate update_engine_log_data_file:file r_file_perms;
214
215# Access /data/misc/profiles/{cur,ref}/
216userdebug_or_eng(`
217  allow dumpstate user_profile_data_file:dir r_dir_perms;
218  allow dumpstate user_profile_data_file:file r_file_perms;
219')
220
221# Access /data/misc/logd
222allow dumpstate misc_logd_file:dir r_dir_perms;
223allow dumpstate misc_logd_file:file r_file_perms;
224
225# Access /data/misc/prereboot
226allow dumpstate prereboot_data_file:dir r_dir_perms;
227allow dumpstate prereboot_data_file:file r_file_perms;
228
229allow dumpstate app_fuse_file:dir r_dir_perms;
230allow dumpstate overlayfs_file:dir r_dir_perms;
231
232allow dumpstate {
233  service_manager_type
234  -apex_service
235  -dumpstate_service
236  -gatekeeper_service
237  -virtual_touchpad_service
238  -vold_service
239  -vr_hwc_service
240  -default_android_service
241}:service_manager find;
242# suppress denials for services dumpstate should not be accessing.
243dontaudit dumpstate {
244  apex_service
245  dumpstate_service
246  gatekeeper_service
247  virtual_touchpad_service
248  vold_service
249  vr_hwc_service
250}:service_manager find;
251
252# Most of these are neverallowed.
253dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
254
255allow dumpstate servicemanager:service_manager list;
256allow dumpstate hwservicemanager:hwservice_manager list;
257
258allow dumpstate devpts:chr_file rw_file_perms;
259
260# Set properties.
261# dumpstate_prop is used to share state with the Shell app.
262set_prop(dumpstate, dumpstate_prop)
263set_prop(dumpstate, exported_dumpstate_prop)
264# dumpstate_options_prop is used to pass extra command-line args.
265set_prop(dumpstate, dumpstate_options_prop)
266
267# Read any system properties
268get_prop(dumpstate, property_type)
269
270# Access to /data/media.
271# This should be removed if sdcardfs is modified to alter the secontext for its
272# accesses to the underlying FS.
273allow dumpstate media_rw_data_file:dir getattr;
274allow dumpstate proc_interrupts:file r_file_perms;
275allow dumpstate proc_zoneinfo:file r_file_perms;
276
277# Create a service for talking back to system_server
278add_service(dumpstate, dumpstate_service)
279
280# use /dev/ion for screen capture
281allow dumpstate ion_device:chr_file r_file_perms;
282
283# Allow dumpstate to run top
284allow dumpstate proc_stat:file r_file_perms;
285
286allow dumpstate proc_pressure_cpu:file r_file_perms;
287allow dumpstate proc_pressure_mem:file r_file_perms;
288allow dumpstate proc_pressure_io:file r_file_perms;
289
290# Allow dumpstate to talk to installd over binder
291binder_call(dumpstate, installd);
292
293# Allow dumpstate to talk to iorapd over binder.
294binder_call(dumpstate, iorapd)
295
296# Allow dumpstate to run ip xfrm policy
297allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
298
299# Allow dumpstate to run iotop
300allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
301# newer kernels (e.g. 4.4) have a new class for sockets
302allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
303
304# Allow dumpstate to run ss
305allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
306
307# Allow dumpstate to read linkerconfig directory
308allow dumpstate linkerconfig_file:dir { read open };
309
310# For when dumpstate runs df
311dontaudit dumpstate {
312  mnt_vendor_file
313  mirror_data_file
314  mnt_user_file
315}:dir search;
316dontaudit dumpstate {
317  apex_mnt_dir
318  linkerconfig_file
319  mirror_data_file
320  mnt_user_file
321}:dir getattr;
322
323# Allow dumpstate to talk to bufferhubd over binder
324binder_call(dumpstate, bufferhubd);
325
326# Allow dumpstate to talk to mediaswcodec over binder
327binder_call(dumpstate, mediaswcodec);
328
329# Allow dumpstate to talk to these stable AIDL services over binder
330binder_call(dumpstate, hal_rebootescrow_server)
331allow hal_rebootescrow_server dumpstate:fifo_file write;
332allow hal_rebootescrow_server dumpstate:fd use;
333
334# Allow dumpstate to kill vendor dumpstate service by init
335set_prop(dumpstate, ctl_dumpstate_prop)
336
337#Access /data/misc/snapshotctl_log
338allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
339allow dumpstate snapshotctl_log_data_file:file r_file_perms;
340
341#Allow access to /dev/binderfs/binder_logs
342allow dumpstate binderfs_logs:dir r_dir_perms;
343allow dumpstate binderfs_logs:file r_file_perms;
344
345###
346### neverallow rules
347###
348
349# dumpstate has capability sys_ptrace, but should only use that capability for
350# accessing sensitive /proc/PID files, never for using ptrace attach.
351neverallow dumpstate *:process ptrace;
352
353# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
354neverallow {
355  domain
356  -system_server
357  -shell
358  -traceur_app
359  -dumpstate
360} dumpstate_service:service_manager find;
361