• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1typeattribute dumpstate coredomain;
2type dumpstate_tmpfs, file_type;
3
4init_daemon_domain(dumpstate)
5
6# Execute and transition to the vdc domain
7domain_auto_trans(dumpstate, vdc_exec, vdc)
8
9# Create tmpfs files for using memfd descriptors to get output from child
10# processes.
11tmpfs_domain(dumpstate)
12
13# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
14allow dumpstate system_file:file lock;
15
16allow dumpstate storaged_exec:file rx_file_perms;
17
18# /data/misc/a11ytrace for accessibility traces
19userdebug_or_eng(`
20  allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
21  allow dumpstate accessibility_trace_data_file:file r_file_perms;
22')
23
24# /data/misc/wmtrace for wm traces
25userdebug_or_eng(`
26  allow dumpstate wm_trace_data_file:dir r_dir_perms;
27  allow dumpstate wm_trace_data_file:file r_file_perms;
28')
29
30# /data/system/dropbox for dropbox entries
31userdebug_or_eng(`
32  allow dumpstate dropbox_data_file:dir r_dir_perms;
33  allow dumpstate dropbox_data_file:file r_file_perms;
34')
35
36r_dir_file(dumpstate, aconfig_storage_metadata_file);
37
38# Allow dumpstate to make binder calls to incidentd
39binder_call(dumpstate, incidentd)
40
41# Kill incident in case of a timeout
42allow dumpstate incident:process { signal sigkill };
43
44# Allow dumpstate to make binder calls to storaged service
45binder_call(dumpstate, storaged)
46
47# Allow dumpstate to make binder calls to statsd
48binder_call(dumpstate, statsd)
49
50# Allow dumpstate to talk to gpuservice over binder
51binder_call(dumpstate, gpuservice);
52
53# Allow dumpstate to talk to idmap over binder
54binder_call(dumpstate, idmap);
55
56# Allow dumpstate to talk to profcollectd over binder
57userdebug_or_eng(`
58  binder_call(dumpstate, profcollectd)
59')
60
61# Allow dumpstate to talk to automotive_display_service over binder
62binder_call(dumpstate, automotive_display_service)
63
64# Allow dumpstate to talk to virtual_camera service over binder
65binder_call(dumpstate, virtual_camera)
66
67# Allow dumpstate to talk to ot_daemon service over binder
68binder_call(dumpstate, ot_daemon)
69
70# Allow dumpstate to talk to mmd service over binder
71binder_call(dumpstate, mmd)
72
73# Collect metrics on boot time created by init
74get_prop(dumpstate, boottime_prop)
75
76get_prop(dumpstate, misctrl_prop)
77
78# Signal native processes to dump their stack.
79allow dumpstate {
80  mediatranscoding
81  statsd
82  netd
83  virtual_camera
84  ot_daemon
85}:process signal;
86
87# Only allow dumpstate to dump Keystore on debuggable builds.
88userdebug_or_eng(`
89  allow dumpstate keystore:process signal;
90')
91dontaudit dumpstate keystore:process { signal };
92
93# For collecting bugreports.
94no_debugfs_restriction(`
95  allow dumpstate debugfs_wakeup_sources:file r_file_perms;
96')
97
98allow dumpstate dev_type:blk_file getattr;
99allow dumpstate webview_zygote:process signal;
100allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
101dontaudit dumpstate update_engine:binder call;
102
103# Read files in /proc
104allow dumpstate {
105  config_gz
106  proc_net_tcp_udp
107  proc_pid_max
108}:file r_file_perms;
109
110# For comminucating with the system process to do confirmation ui.
111binder_call(dumpstate, incidentcompanion_service)
112
113# Set properties.
114# dumpstate_prop is used to share state with the Shell app.
115set_prop(dumpstate, dumpstate_prop)
116set_prop(dumpstate, exported_dumpstate_prop)
117
118# dumpstate_options_prop is used to pass extra command-line args.
119set_prop(dumpstate, dumpstate_options_prop)
120
121# Allow dumpstate to kill vendor dumpstate service by init
122set_prop(dumpstate, ctl_dumpstate_prop)
123
124# For dumping dynamic partition information.
125set_prop(dumpstate, lpdumpd_prop)
126binder_call(dumpstate, lpdumpd)
127
128# For dumping hypervisor information.
129get_prop(dumpstate, hypervisor_prop)
130
131# For dumping device-mapper and snapshot information.
132allow dumpstate gsid_exec:file rx_file_perms;
133set_prop(dumpstate, ctl_gsid_prop)
134binder_call(dumpstate, gsid)
135
136#Allow access to /dev/binderfs/binder_logs
137userdebug_or_eng(`
138    allow dumpstate binderfs_logs_transactions:file r_file_perms;
139')
140dontaudit dumpstate binderfs_logs_transactions:file r_file_perms;
141allow dumpstate binderfs_logs_transaction_history:file r_file_perms;
142
143r_dir_file(dumpstate, ota_metadata_file)
144
145# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
146# is being recorded, the command above will serialize it into
147# /data/misc/perfetto-traces/bugreport/*.pftrace .
148domain_auto_trans(dumpstate, perfetto_exec, perfetto)
149allow dumpstate perfetto:process signal;
150allow dumpstate perfetto_traces_data_file:dir { search };
151allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
152allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
153
154# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
155# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
156# zip file. These rules are to allow perfetto.te to inherit dumpstate's
157# /dev/null.
158allow perfetto dumpstate_tmpfs:file rw_file_perms;
159allow perfetto dumpstate:fd use;
160
161# system_dlkm_file for /system_dlkm partition
162allow dumpstate system_dlkm_file:dir getattr;
163
164# Allow dumpstate to execute derive_sdk in its own domain
165domain_auto_trans(dumpstate, derive_sdk_exec, derive_sdk)
166
167net_domain(dumpstate)
168binder_use(dumpstate)
169wakelock_use(dumpstate)
170
171# Allow setting process priority, protect from OOM killer, and dropping
172# privileges by switching UID / GID
173allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
174
175# Allow dumpstate to scan through /proc/pid for all processes
176r_dir_file(dumpstate, domain)
177
178allow dumpstate self:global_capability_class_set {
179    # Send signals to processes
180    kill
181    # Run iptables
182    net_raw
183    net_admin
184};
185
186# Allow executing files on system, such as:
187#   /system/bin/toolbox
188#   /system/bin/logcat
189#   /system/bin/dumpsys
190allow dumpstate system_file:file execute_no_trans;
191not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
192allow dumpstate toolbox_exec:file rx_file_perms;
193
194# hidl searches for files in /system/lib(64)/hw/
195allow dumpstate system_file:dir r_dir_perms;
196
197# Create and write into /data/anr/
198allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
199allow dumpstate anr_data_file:dir rw_dir_perms;
200allow dumpstate anr_data_file:file create_file_perms;
201
202# Allow reading /data/system/uiderrors.txt
203# TODO: scope this down.
204allow dumpstate system_data_file:file r_file_perms;
205
206# Allow dumpstate to append into apps' private files.
207allow dumpstate app_data_file_type:file append;
208
209# Read dmesg
210allow dumpstate self:global_capability2_class_set syslog;
211allow dumpstate kernel:system syslog_read;
212
213# Read /sys/fs/pstore/console-ramoops
214allow dumpstate pstorefs:dir r_dir_perms;
215allow dumpstate pstorefs:file r_file_perms;
216
217# Get process attributes
218allow dumpstate domain:process getattr;
219
220# Signal java processes to dump their stack
221allow dumpstate { appdomain system_server zygote app_zygote }:process signal;
222
223# Signal native processes to dump their stack.
224allow dumpstate {
225  # This list comes from native_processes_to_dump in dumputils/dump_utils.c
226  audioserver
227  cameraserver
228  drmserver
229  inputflinger
230  mediadrmserver
231  mediaextractor
232  mediametrics
233  mediaserver
234  mediaswcodec
235  sdcardd
236  surfaceflinger
237  vold
238
239  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
240  evsmanagerd
241  hal_audio_server
242  hal_audiocontrol_server
243  hal_bluetooth_server
244  hal_broadcastradio_server
245  hal_camera_server
246  hal_codec2_server
247  hal_drm_server
248  hal_evs_server
249  hal_face_server
250  hal_fingerprint_server
251  hal_graphics_allocator_server
252  hal_graphics_composer_server
253  hal_health_server
254  hal_input_processor_server
255  hal_neuralnetworks_server
256  hal_omx_server
257  hal_power_server
258  hal_power_stats_server
259  hal_sensors_server
260  hal_thermal_server
261  hal_vehicle_server
262  hal_vr_server
263  system_suspend_server
264}:process signal;
265
266# On userdebug, dumpstate may fork and execute a command as su. Make sure the
267# timeout logic is allowed to terminate the child process if necessary.
268userdebug_or_eng(`
269  allow dumpstate su:process { signal sigkill };
270')
271
272# Connect to tombstoned to intercept dumps.
273unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
274
275# Access to /sys
276allow dumpstate sysfs_type:dir r_dir_perms;
277
278allow dumpstate {
279  sysfs_devices_block
280  sysfs_dm
281  sysfs_loop
282  sysfs_usb
283  sysfs_zram
284}:file r_file_perms;
285
286# Ignore other file access under /sys.
287dontaudit dumpstate sysfs:file r_file_perms;
288
289# Other random bits of data we want to collect
290no_debugfs_restriction(`
291  allow dumpstate debugfs:file r_file_perms;
292  auditallow dumpstate debugfs:file r_file_perms;
293
294  allow dumpstate debugfs_mmc:file r_file_perms;
295')
296
297# df for
298allow dumpstate {
299  block_device
300  cache_file
301  metadata_file
302  rootfs
303  selinuxfs
304  storage_file
305  tmpfs
306}:dir { search getattr };
307allow dumpstate fuse_device:chr_file getattr;
308allow dumpstate { dm_device cache_block_device }:blk_file getattr;
309allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
310
311# Read /dev/cpuctl and /dev/cpuset
312r_dir_file(dumpstate, cgroup)
313r_dir_file(dumpstate, cgroup_v2)
314
315# Allow dumpstate to make binder calls to any binder service
316binder_call(dumpstate, binderservicedomain)
317binder_call(dumpstate, { appdomain artd netd wificond })
318
319# Allow dumpstate to call dump() on specific hals.
320dump_hal(hal_audio)
321dump_hal(hal_audiocontrol)
322dump_hal(hal_authgraph)
323dump_hal(hal_authsecret)
324dump_hal(hal_bluetooth)
325dump_hal(hal_broadcastradio)
326dump_hal(hal_camera)
327dump_hal(hal_codec2)
328dump_hal(hal_contexthub)
329dump_hal(hal_drm)
330dump_hal(hal_dumpstate)
331dump_hal(hal_evs)
332dump_hal(hal_face)
333dump_hal(hal_fingerprint)
334dump_hal(hal_gnss)
335dump_hal(hal_graphics_allocator)
336dump_hal(hal_graphics_composer)
337dump_hal(hal_health)
338dump_hal(hal_identity)
339dump_hal(hal_input_processor)
340dump_hal(hal_keymint)
341dump_hal(hal_light)
342dump_hal(hal_memtrack)
343dump_hal(hal_neuralnetworks)
344dump_hal(hal_nfc)
345dump_hal(hal_oemlock)
346dump_hal(hal_power)
347dump_hal(hal_power_stats)
348dump_hal(hal_rebootescrow)
349dump_hal(hal_secretkeeper)
350dump_hal(hal_sensors)
351dump_hal(hal_thermal)
352dump_hal(hal_vehicle)
353dump_hal(hal_vm_capabilities)
354dump_hal(hal_weaver)
355dump_hal(hal_wifi)
356
357# Vibrate the device after we are done collecting the bugreport
358hal_client_domain(dumpstate, hal_vibrator)
359
360# Reading /proc/PID/maps of other processes
361allow dumpstate self:global_capability_class_set sys_ptrace;
362
363# Allow the bugreport service to create a file in
364# /data/data/com.android.shell/files/bugreports/bugreport
365allow dumpstate shell_data_file:dir create_dir_perms;
366allow dumpstate shell_data_file:file create_file_perms;
367
368# Run a shell.
369allow dumpstate shell_exec:file rx_file_perms;
370
371# For running am and similar framework commands.
372# Run /system/bin/app_process.
373allow dumpstate zygote_exec:file rx_file_perms;
374
375# For Bluetooth
376allow dumpstate bluetooth_data_file:dir search;
377allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
378allow dumpstate bluetooth_logs_data_file:file r_file_perms;
379
380# For Nfc
381allow dumpstate nfc_logs_data_file:dir r_dir_perms;
382allow dumpstate nfc_logs_data_file:file r_file_perms;
383
384# For uwb
385allow dumpstate apex_module_data_file:dir search;
386allow dumpstate apex_system_server_data_file:dir search;
387allow dumpstate apex_uwb_data_file:dir r_dir_perms;
388allow dumpstate apex_uwb_data_file:file r_file_perms;
389
390# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
391allow dumpstate gpu_device:chr_file rw_file_perms;
392allow dumpstate gpu_device:dir r_dir_perms;
393
394# logd access
395read_logd(dumpstate)
396control_logd(dumpstate)
397read_runtime_log_tags(dumpstate)
398
399# Read files in /proc
400allow dumpstate {
401  proc_allocinfo
402  proc_bootconfig
403  proc_buddyinfo
404  proc_cmdline
405  proc_cgroups
406  proc_meminfo
407  proc_modules
408  proc_net_type
409  proc_pipe_conf
410  proc_pagetypeinfo
411  proc_qtaguid_ctrl
412  proc_qtaguid_stat
413  proc_slabinfo
414  proc_version
415  proc_vmallocinfo
416  proc_vmstat
417}:file r_file_perms;
418
419# Read network state info files.
420allow dumpstate net_data_file:dir search;
421allow dumpstate net_data_file:file r_file_perms;
422
423# List sockets via ss.
424allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
425
426# Access /data/tombstones.
427allow dumpstate tombstone_data_file:dir r_dir_perms;
428allow dumpstate tombstone_data_file:file r_file_perms;
429
430# Access /cache/recovery
431allow dumpstate cache_recovery_file:dir r_dir_perms;
432allow dumpstate cache_recovery_file:file r_file_perms;
433
434# Access /data/misc/recovery
435allow dumpstate recovery_data_file:dir r_dir_perms;
436allow dumpstate recovery_data_file:file r_file_perms;
437
438# Access /data/misc/update_engine & /data/misc/update_engine_log
439allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
440allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
441# Access /data/misc/snapuserd_log
442allow dumpstate snapuserd_log_data_file:dir r_dir_perms;
443allow dumpstate snapuserd_log_data_file:file r_file_perms;
444
445# Access /data/misc/profiles/{cur,ref}/
446userdebug_or_eng(`
447  allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
448  allow dumpstate user_profile_data_file:file r_file_perms;
449')
450
451# Access /data/misc/logd
452allow dumpstate misc_logd_file:dir r_dir_perms;
453allow dumpstate misc_logd_file:file r_file_perms;
454
455# Access /data/misc/prereboot
456allow dumpstate prereboot_data_file:dir r_dir_perms;
457allow dumpstate prereboot_data_file:file r_file_perms;
458
459allow dumpstate app_fuse_file:dir r_dir_perms;
460allow dumpstate overlayfs_file:dir r_dir_perms;
461
462allow dumpstate {
463  service_manager_type
464  -apex_service
465  -dumpstate_service
466  -gatekeeper_service
467  -hal_service_type
468  -virtual_touchpad_service
469  -vold_service
470  -fwk_vold_service
471  -default_android_service
472}:service_manager find;
473# suppress denials for services dumpstate should not be accessing.
474dontaudit dumpstate {
475  apex_service
476  dumpstate_service
477  gatekeeper_service
478  hal_service_type
479  virtual_touchpad_service
480  vold_service
481  fwk_vold_service
482}:service_manager find;
483
484# Most of these are neverallowed.
485dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
486
487allow dumpstate servicemanager:service_manager list;
488allow dumpstate hwservicemanager:hwservice_manager list;
489
490allow dumpstate devpts:chr_file rw_file_perms;
491
492# Read any system properties
493get_prop(dumpstate, property_type)
494
495# Access to /data/media.
496# This should be removed if sdcardfs is modified to alter the secontext for its
497# accesses to the underlying FS.
498allow dumpstate media_rw_data_file:dir getattr;
499allow dumpstate proc_interrupts:file r_file_perms;
500allow dumpstate proc_zoneinfo:file r_file_perms;
501
502# Create a service for talking back to system_server
503add_service(dumpstate, dumpstate_service)
504
505# use /dev/ion for screen capture
506allow dumpstate ion_device:chr_file r_file_perms;
507
508# Allow dumpstate to run top
509allow dumpstate proc_stat:file r_file_perms;
510
511allow dumpstate proc_pressure_cpu:file r_file_perms;
512allow dumpstate proc_pressure_mem:file r_file_perms;
513allow dumpstate proc_pressure_io:file r_file_perms;
514
515# Allow dumpstate to run ps
516allow dumpstate proc_pid_max:file r_file_perms;
517
518# Allow dumpstate to talk to installd over binder
519binder_call(dumpstate, installd);
520
521# Allow dumpstate to run ip xfrm policy
522allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
523
524# Allow dumpstate to run iotop
525allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
526# newer kernels (e.g. 4.4) have a new class for sockets
527allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
528
529# Allow dumpstate to run ss
530allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
531
532# Allow dumpstate to read linkerconfig directory
533allow dumpstate linkerconfig_file:dir { read open };
534
535# For when dumpstate runs df
536dontaudit dumpstate {
537  mnt_vendor_file
538  mirror_data_file
539  mnt_user_file
540  mnt_product_file
541}:dir search;
542dontaudit dumpstate {
543  apex_mnt_dir
544  linkerconfig_file
545  mirror_data_file
546  mnt_user_file
547  vm_data_file
548}:dir getattr;
549
550#suppress denials for dumpstate to call vitualizationservice.
551dontaudit dumpstate virtualizationservice:binder { call };
552
553# Allow dumpstate to talk to bufferhubd over binder
554binder_call(dumpstate, bufferhubd);
555
556# Allow dumpstate to talk to mediaswcodec over binder
557binder_call(dumpstate, mediaswcodec);
558
559#Access /data/misc/snapshotctl_log
560allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
561allow dumpstate snapshotctl_log_data_file:file r_file_perms;
562
563#Allow access to /dev/binderfs/binder_logs
564allow dumpstate binderfs_logs:dir r_dir_perms;
565allow dumpstate binderfs_logs:file r_file_perms;
566allow dumpstate binderfs_logs_proc:file r_file_perms;
567allow dumpstate binderfs_logs_stats:file r_file_perms;
568
569use_apex_info(dumpstate)
570
571# Allow reading files under /data/system/shutdown-checkpoints/
572allow dumpstate shutdown_checkpoints_system_data_file:dir r_dir_perms;
573allow dumpstate shutdown_checkpoints_system_data_file:file r_file_perms;
574
575# Allow dumpstate to make binder calls to wifi_mainline_supplicant
576binder_call(dumpstate, wifi_mainline_supplicant);
577
578###
579### neverallow rules
580###
581
582# dumpstate has capability sys_ptrace, but should only use that capability for
583# accessing sensitive /proc/PID files, never for using ptrace attach.
584neverallow dumpstate *:process ptrace;
585
586# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
587neverallow {
588  domain
589  -system_server
590  -shell
591  -traceur_app
592  -dumpstate
593} dumpstate_service:service_manager find;
594
595# only dumpstate, system_server and related others to access apex_uwb_data_file
596neverallow {
597  domain
598  -dumpstate
599  -system_server
600  -apexd
601  -init
602  -vold_prepare_subdirs
603} apex_uwb_data_file:dir no_rw_file_perms;
604neverallow {
605  domain
606  -dumpstate
607  -system_server
608  -apexd
609  -init
610  -vold_prepare_subdirs
611} apex_uwb_data_file:file no_rw_file_perms;
612