1typeattribute crash_dump coredomain; 2 3# Crash dump does not need to access devices passed across exec(). 4dontaudit crash_dump { devpts dev_type }:chr_file { read write }; 5 6allow crash_dump { 7 domain 8 -apexd 9 -bpfloader 10 -crash_dump 11 -init 12 -kernel 13 -keystore 14 -llkd 15 -logd 16 -ueventd 17 -vendor_init 18 -vold 19}:process { ptrace signal sigchld sigstop sigkill }; 20 21userdebug_or_eng(` 22 allow crash_dump { 23 apexd 24 keystore 25 llkd 26 logd 27 vold 28 }:process { ptrace signal sigchld sigstop sigkill }; 29') 30 31# Read ART APEX data directory 32allow crash_dump apex_art_data_file:dir { getattr search }; 33allow crash_dump apex_art_data_file:file r_file_perms; 34 35### 36### neverallow assertions 37### 38 39# sigchld not explicitly forbidden since it's part of the 40# domain-transition-on-exec macros, and is by itself not sensitive 41neverallow crash_dump { 42 apexd 43 userdebug_or_eng(`-apexd') 44 bpfloader 45 init 46 kernel 47 keystore 48 userdebug_or_eng(`-keystore') 49 llkd 50 userdebug_or_eng(`-llkd') 51 logd 52 userdebug_or_eng(`-logd') 53 ueventd 54 vendor_init 55 vold 56 userdebug_or_eng(`-vold') 57}:process { ptrace signal sigstop sigkill }; 58 59neverallow crash_dump self:process ptrace; 60neverallow crash_dump gpu_device:chr_file *; 61