1# dumpstate 2type dumpstate, domain, mlstrustedsubject; 3type dumpstate_exec, system_file_type, exec_type, file_type; 4 5net_domain(dumpstate) 6binder_use(dumpstate) 7wakelock_use(dumpstate) 8 9# Allow setting process priority, protect from OOM killer, and dropping 10# privileges by switching UID / GID 11allow dumpstate self:global_capability_class_set { setuid setgid sys_resource }; 12 13# Allow dumpstate to scan through /proc/pid for all processes 14r_dir_file(dumpstate, domain) 15 16allow dumpstate self:global_capability_class_set { 17 # Send signals to processes 18 kill 19 # Run iptables 20 net_raw 21 net_admin 22}; 23 24# Allow executing files on system, such as: 25# /system/bin/toolbox 26# /system/bin/logcat 27# /system/bin/dumpsys 28allow dumpstate system_file:file execute_no_trans; 29not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;') 30allow dumpstate toolbox_exec:file rx_file_perms; 31 32# hidl searches for files in /system/lib(64)/hw/ 33allow dumpstate system_file:dir r_dir_perms; 34 35# Create and write into /data/anr/ 36allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid }; 37allow dumpstate anr_data_file:dir rw_dir_perms; 38allow dumpstate anr_data_file:file create_file_perms; 39 40# Allow reading /data/system/uiderrors.txt 41# TODO: scope this down. 42allow dumpstate system_data_file:file r_file_perms; 43 44# Allow dumpstate to append into apps' private files. 45allow dumpstate { privapp_data_file app_data_file }:file append; 46 47# Read dmesg 48allow dumpstate self:global_capability2_class_set syslog; 49allow dumpstate kernel:system syslog_read; 50 51# Read /sys/fs/pstore/console-ramoops 52allow dumpstate pstorefs:dir r_dir_perms; 53allow dumpstate pstorefs:file r_file_perms; 54 55# Get process attributes 56allow dumpstate domain:process getattr; 57 58# Signal java processes to dump their stack 59allow dumpstate { appdomain system_server zygote }:process signal; 60 61# Signal native processes to dump their stack. 62allow dumpstate { 63 # This list comes from native_processes_to_dump in dumputils/dump_utils.c 64 audioserver 65 cameraserver 66 drmserver 67 inputflinger 68 mediadrmserver 69 mediaextractor 70 mediametrics 71 mediaserver 72 mediaswcodec 73 sdcardd 74 surfaceflinger 75 vold 76 77 # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c 78 evsmanagerd 79 hal_audio_server 80 hal_audiocontrol_server 81 hal_bluetooth_server 82 hal_broadcastradio_server 83 hal_camera_server 84 hal_codec2_server 85 hal_drm_server 86 hal_evs_server 87 hal_face_server 88 hal_fingerprint_server 89 hal_graphics_allocator_server 90 hal_graphics_composer_server 91 hal_health_server 92 hal_input_processor_server 93 hal_neuralnetworks_server 94 hal_omx_server 95 hal_power_server 96 hal_power_stats_server 97 hal_sensors_server 98 hal_thermal_server 99 hal_vehicle_server 100 hal_vr_server 101 system_suspend_server 102}:process signal; 103 104# Connect to tombstoned to intercept dumps. 105unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned) 106 107# Access to /sys 108allow dumpstate sysfs_type:dir r_dir_perms; 109 110allow dumpstate { 111 sysfs_devices_block 112 sysfs_dm 113 sysfs_loop 114 sysfs_usb 115 sysfs_zram 116}:file r_file_perms; 117 118# Ignore other file access under /sys. 119dontaudit dumpstate sysfs:file r_file_perms; 120 121# Other random bits of data we want to collect 122no_debugfs_restriction(` 123 allow dumpstate debugfs:file r_file_perms; 124 auditallow dumpstate debugfs:file r_file_perms; 125 126 allow dumpstate debugfs_mmc:file r_file_perms; 127') 128 129# df for 130allow dumpstate { 131 block_device 132 cache_file 133 metadata_file 134 rootfs 135 selinuxfs 136 storage_file 137 tmpfs 138}:dir { search getattr }; 139allow dumpstate fuse_device:chr_file getattr; 140allow dumpstate { dm_device cache_block_device }:blk_file getattr; 141allow dumpstate { cache_file rootfs }:lnk_file { getattr read }; 142 143# Read /dev/cpuctl and /dev/cpuset 144r_dir_file(dumpstate, cgroup) 145r_dir_file(dumpstate, cgroup_v2) 146 147# Allow dumpstate to make binder calls to any binder service 148binder_call(dumpstate, binderservicedomain) 149binder_call(dumpstate, { appdomain netd wificond }) 150 151# Allow dumpstate to call dump() on specific hals. 152dump_hal(hal_audio) 153dump_hal(hal_audiocontrol) 154dump_hal(hal_authsecret) 155dump_hal(hal_bluetooth) 156dump_hal(hal_broadcastradio) 157dump_hal(hal_camera) 158dump_hal(hal_codec2) 159dump_hal(hal_contexthub) 160dump_hal(hal_drm) 161dump_hal(hal_dumpstate) 162dump_hal(hal_evs) 163dump_hal(hal_face) 164dump_hal(hal_fingerprint) 165dump_hal(hal_gnss) 166dump_hal(hal_graphics_allocator) 167dump_hal(hal_graphics_composer) 168dump_hal(hal_health) 169dump_hal(hal_identity) 170dump_hal(hal_input_processor) 171dump_hal(hal_keymint) 172dump_hal(hal_light) 173dump_hal(hal_memtrack) 174dump_hal(hal_neuralnetworks) 175dump_hal(hal_nfc) 176dump_hal(hal_oemlock) 177dump_hal(hal_power) 178dump_hal(hal_power_stats) 179dump_hal(hal_rebootescrow) 180dump_hal(hal_sensors) 181dump_hal(hal_thermal) 182dump_hal(hal_vehicle) 183dump_hal(hal_weaver) 184dump_hal(hal_wifi) 185 186# Vibrate the device after we are done collecting the bugreport 187hal_client_domain(dumpstate, hal_vibrator) 188 189# Reading /proc/PID/maps of other processes 190allow dumpstate self:global_capability_class_set sys_ptrace; 191 192# Allow the bugreport service to create a file in 193# /data/data/com.android.shell/files/bugreports/bugreport 194allow dumpstate shell_data_file:dir create_dir_perms; 195allow dumpstate shell_data_file:file create_file_perms; 196 197# Run a shell. 198allow dumpstate shell_exec:file rx_file_perms; 199 200# For running am and similar framework commands. 201# Run /system/bin/app_process. 202allow dumpstate zygote_exec:file rx_file_perms; 203 204# For Bluetooth 205allow dumpstate bluetooth_data_file:dir search; 206allow dumpstate bluetooth_logs_data_file:dir r_dir_perms; 207allow dumpstate bluetooth_logs_data_file:file r_file_perms; 208 209# For Nfc 210allow dumpstate nfc_logs_data_file:dir r_dir_perms; 211allow dumpstate nfc_logs_data_file:file r_file_perms; 212 213# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access 214allow dumpstate gpu_device:chr_file rw_file_perms; 215allow dumpstate gpu_device:dir r_dir_perms; 216 217# logd access 218read_logd(dumpstate) 219control_logd(dumpstate) 220read_runtime_log_tags(dumpstate) 221 222# Read files in /proc 223allow dumpstate { 224 proc_bootconfig 225 proc_buddyinfo 226 proc_cmdline 227 proc_meminfo 228 proc_modules 229 proc_net_type 230 proc_pipe_conf 231 proc_pagetypeinfo 232 proc_qtaguid_ctrl 233 proc_qtaguid_stat 234 proc_slabinfo 235 proc_version 236 proc_vmallocinfo 237 proc_vmstat 238}:file r_file_perms; 239 240# Read network state info files. 241allow dumpstate net_data_file:dir search; 242allow dumpstate net_data_file:file r_file_perms; 243 244# List sockets via ss. 245allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; 246 247# Access /data/tombstones. 248allow dumpstate tombstone_data_file:dir r_dir_perms; 249allow dumpstate tombstone_data_file:file r_file_perms; 250 251# Access /cache/recovery 252allow dumpstate cache_recovery_file:dir r_dir_perms; 253allow dumpstate cache_recovery_file:file r_file_perms; 254 255# Access /data/misc/recovery 256allow dumpstate recovery_data_file:dir r_dir_perms; 257allow dumpstate recovery_data_file:file r_file_perms; 258 259# Access /data/misc/update_engine & /data/misc/update_engine_log 260allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms; 261allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms; 262 263# Access /data/misc/profiles/{cur,ref}/ 264userdebug_or_eng(` 265 allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms; 266 allow dumpstate user_profile_data_file:file r_file_perms; 267') 268 269# Access /data/misc/logd 270allow dumpstate misc_logd_file:dir r_dir_perms; 271allow dumpstate misc_logd_file:file r_file_perms; 272 273# Access /data/misc/prereboot 274allow dumpstate prereboot_data_file:dir r_dir_perms; 275allow dumpstate prereboot_data_file:file r_file_perms; 276 277allow dumpstate app_fuse_file:dir r_dir_perms; 278allow dumpstate overlayfs_file:dir r_dir_perms; 279 280allow dumpstate { 281 service_manager_type 282 -apex_service 283 -dumpstate_service 284 -gatekeeper_service 285 -hal_service_type 286 -virtual_touchpad_service 287 -vold_service 288 -default_android_service 289}:service_manager find; 290# suppress denials for services dumpstate should not be accessing. 291dontaudit dumpstate { 292 apex_service 293 dumpstate_service 294 gatekeeper_service 295 hal_service_type 296 virtual_touchpad_service 297 vold_service 298}:service_manager find; 299 300# Most of these are neverallowed. 301dontaudit dumpstate hwservice_manager_type:hwservice_manager find; 302 303allow dumpstate servicemanager:service_manager list; 304allow dumpstate hwservicemanager:hwservice_manager list; 305 306allow dumpstate devpts:chr_file rw_file_perms; 307 308# Read any system properties 309get_prop(dumpstate, property_type) 310 311# Access to /data/media. 312# This should be removed if sdcardfs is modified to alter the secontext for its 313# accesses to the underlying FS. 314allow dumpstate media_rw_data_file:dir getattr; 315allow dumpstate proc_interrupts:file r_file_perms; 316allow dumpstate proc_zoneinfo:file r_file_perms; 317 318# Create a service for talking back to system_server 319add_service(dumpstate, dumpstate_service) 320 321# use /dev/ion for screen capture 322allow dumpstate ion_device:chr_file r_file_perms; 323 324# Allow dumpstate to run top 325allow dumpstate proc_stat:file r_file_perms; 326 327allow dumpstate proc_pressure_cpu:file r_file_perms; 328allow dumpstate proc_pressure_mem:file r_file_perms; 329allow dumpstate proc_pressure_io:file r_file_perms; 330 331# Allow dumpstate to run ps 332allow dumpstate proc_pid_max:file r_file_perms; 333 334# Allow dumpstate to talk to installd over binder 335binder_call(dumpstate, installd); 336 337# Allow dumpstate to run ip xfrm policy 338allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read }; 339 340# Allow dumpstate to run iotop 341allow dumpstate self:netlink_socket create_socket_perms_no_ioctl; 342# newer kernels (e.g. 4.4) have a new class for sockets 343allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl; 344 345# Allow dumpstate to run ss 346allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr; 347 348# Allow dumpstate to read linkerconfig directory 349allow dumpstate linkerconfig_file:dir { read open }; 350 351# For when dumpstate runs df 352dontaudit dumpstate { 353 mnt_vendor_file 354 mirror_data_file 355 mnt_user_file 356 mnt_product_file 357}:dir search; 358dontaudit dumpstate { 359 apex_mnt_dir 360 linkerconfig_file 361 mirror_data_file 362 mnt_user_file 363}:dir getattr; 364 365# Allow dumpstate to talk to bufferhubd over binder 366binder_call(dumpstate, bufferhubd); 367 368# Allow dumpstate to talk to mediaswcodec over binder 369binder_call(dumpstate, mediaswcodec); 370 371#Access /data/misc/snapshotctl_log 372allow dumpstate snapshotctl_log_data_file:dir r_dir_perms; 373allow dumpstate snapshotctl_log_data_file:file r_file_perms; 374 375#Allow access to /dev/binderfs/binder_logs 376allow dumpstate binderfs_logs:dir r_dir_perms; 377allow dumpstate binderfs_logs:file r_file_perms; 378allow dumpstate binderfs_logs_proc:file r_file_perms; 379allow dumpstate binderfs_logs_stats:file r_file_perms; 380 381use_apex_info(dumpstate) 382 383# Allow reading files under /data/system/shutdown-checkpoints/ 384allow dumpstate shutdown_checkpoints_system_data_file:dir r_dir_perms; 385allow dumpstate shutdown_checkpoints_system_data_file:file r_file_perms; 386 387### 388### neverallow rules 389### 390 391# dumpstate has capability sys_ptrace, but should only use that capability for 392# accessing sensitive /proc/PID files, never for using ptrace attach. 393neverallow dumpstate *:process ptrace; 394 395# only system_server, dumpstate, traceur_app and shell can find the dumpstate service 396neverallow { 397 domain 398 -system_server 399 -shell 400 -traceur_app 401 -dumpstate 402} dumpstate_service:service_manager find; 403