1 # debugger interface 2 type debuggerd, domain, domain_deprecated; 3 type debuggerd_exec, exec_type, file_type; 4 5 init_daemon_domain(debuggerd) 6 typeattribute debuggerd mlstrustedsubject; 7 allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid }; 8 allow debuggerd self:capability2 { syslog }; 9 allow debuggerd domain:dir r_dir_perms; 10 allow debuggerd domain:file r_file_perms; 11 allow debuggerd domain:lnk_file read; 12 allow debuggerd { 13 domain 14 -adbd 15 -debuggerd 16 -healthd 17 -init 18 -keystore 19 -ueventd 20 -watchdogd 21 }:process { ptrace getattr }; 22 security_access_policy(debuggerd) 23 allow debuggerd tombstone_data_file:dir rw_dir_perms; 24 allow debuggerd tombstone_data_file:file create_file_perms; 25 allow debuggerd shared_relro_file:dir r_dir_perms; 26 allow debuggerd shared_relro_file:file r_file_perms; 27 allow debuggerd domain:process { sigstop sigkill signal }; 28 allow debuggerd exec_type:file r_file_perms; 29 # Access app library 30 allow debuggerd system_data_file:file open; 31 # Allow debuggerd to redirect a dump_backtrace request to itself. 32 # This only happens on 64 bit systems, where all requests go to the 64 bit 33 # debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit. 34 35 allow debuggerd { 36 audioserver 37 bluetooth 38 cameraserver 39 drmserver 40 inputflinger 41 mediacodec 42 mediadrmserver 43 mediaextractor 44 mediaserver 45 sdcardd 46 surfaceflinger 47 }:debuggerd dump_backtrace; 48 49 # Connect to system_server via /data/system/ndebugsocket. 50 unix_socket_connect(debuggerd, system_ndebug, system_server) 51 52 userdebug_or_eng(` 53 allow debuggerd input_device:dir r_dir_perms; 54 allow debuggerd input_device:chr_file rw_file_perms; 55 ') 56 57 # logd access 58 read_logd(debuggerd) 59 60 # Check SELinux permissions. 61 selinux_check_access(debuggerd) 62
