1typeattribute crash_dump coredomain; 2 3# Crash dump does not need to access devices passed across exec(). 4dontaudit crash_dump { devpts dev_type }:chr_file { read write }; 5 6allow crash_dump { 7 domain 8 -apexd 9 -bpfloader 10 -crash_dump 11 -init 12 -kernel 13 -keystore 14 -llkd 15 -logd 16 -ueventd 17 -vendor_init 18 -vold 19}:process { ptrace signal sigchld sigstop sigkill }; 20 21# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?) 22userdebug_or_eng(` 23 allow crash_dump { 24 apexd 25 keystore 26 llkd 27 logd 28 vold 29 }:process { ptrace signal sigchld sigstop sigkill }; 30') 31 32### 33### neverallow assertions 34### 35 36# ptrace neverallow assertions are spread throughout the other policy 37# files, so we avoid adding redundant assertions here 38 39neverallow crash_dump { 40 apexd 41 userdebug_or_eng(`-apexd') 42 bpfloader 43 init 44 kernel 45 keystore 46 userdebug_or_eng(`-keystore') 47 llkd 48 userdebug_or_eng(`-llkd') 49 logd 50 userdebug_or_eng(`-logd') 51 ueventd 52 vendor_init 53 vold 54 userdebug_or_eng(`-vold') 55}:process { signal sigstop sigkill }; 56 57neverallow crash_dump self:process ptrace; 58neverallow crash_dump gpu_device:chr_file *; 59 60# Read ART APEX data directory 61allow crash_dump apex_art_data_file:dir { getattr search }; 62allow crash_dump apex_art_data_file:file r_file_perms; 63