1 # dumpstate 2 type dumpstate, domain, mlstrustedsubject; 3 type dumpstate_exec, exec_type, file_type; 4 5 net_domain(dumpstate) 6 binder_use(dumpstate) 7 wakelock_use(dumpstate) 8 9 # Allow setting process priority, protect from OOM killer, and dropping 10 # privileges by switching UID / GID 11 allow dumpstate self:global_capability_class_set { setuid setgid sys_resource }; 12 13 # Allow dumpstate to scan through /proc/pid for all processes 14 r_dir_file(dumpstate, domain) 15 16 allow dumpstate self:global_capability_class_set { 17 # Send signals to processes 18 kill 19 # Run iptables 20 net_raw 21 net_admin 22 }; 23 24 # Allow executing files on system, such as: 25 # /system/bin/toolbox 26 # /system/bin/logcat 27 # /system/bin/dumpsys 28 allow dumpstate system_file:file execute_no_trans; 29 not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;') 30 allow dumpstate toolbox_exec:file rx_file_perms; 31 32 # hidl searches for files in /system/lib(64)/hw/ 33 allow dumpstate system_file:dir r_dir_perms; 34 35 # Create and write into /data/anr/ 36 allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid }; 37 allow dumpstate anr_data_file:dir rw_dir_perms; 38 allow dumpstate anr_data_file:file create_file_perms; 39 40 # Allow reading /data/system/uiderrors.txt 41 # TODO: scope this down. 42 allow dumpstate system_data_file:file r_file_perms; 43 44 # Read dmesg 45 allow dumpstate self:global_capability2_class_set syslog; 46 allow dumpstate kernel:system syslog_read; 47 48 # Read /sys/fs/pstore/console-ramoops 49 allow dumpstate pstorefs:dir r_dir_perms; 50 allow dumpstate pstorefs:file r_file_perms; 51 52 # Get process attributes 53 allow dumpstate domain:process getattr; 54 55 # Signal java processes to dump their stack 56 allow dumpstate { appdomain system_server }:process signal; 57 58 # Signal native processes to dump their stack. 59 allow dumpstate { 60 # This list comes from native_processes_to_dump in dumputils/dump_utils.c 61 audioserver 62 cameraserver 63 drmserver 64 inputflinger 65 mediadrmserver 66 mediaextractor 67 mediametrics 68 mediaserver 69 sdcardd 70 surfaceflinger 71 72 # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c 73 hal_audio_server 74 hal_bluetooth_server 75 hal_camera_server 76 hal_drm_server 77 hal_graphics_composer_server 78 hal_sensors_server 79 hal_vr_server 80 mediacodec # TODO(b/36375899): hal_omx_server 81 }:process signal; 82 83 # Connect to tombstoned to intercept dumps. 84 unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned) 85 86 # Access to /sys 87 allow dumpstate sysfs_type:dir r_dir_perms; 88 89 allow dumpstate { 90 sysfs_dm 91 sysfs_usb 92 sysfs_zram 93 }:file r_file_perms; 94 95 # Other random bits of data we want to collect 96 allow dumpstate qtaguid_proc:file r_file_perms; 97 allow dumpstate debugfs:file r_file_perms; 98 99 # df for 100 allow dumpstate { 101 block_device 102 cache_file 103 metadata_file 104 rootfs 105 selinuxfs 106 storage_file 107 tmpfs 108 }:dir { search getattr }; 109 allow dumpstate fuse_device:chr_file getattr; 110 allow dumpstate { dm_device cache_block_device }:blk_file getattr; 111 allow dumpstate { cache_file rootfs }:lnk_file { getattr read }; 112 113 # Read /dev/cpuctl and /dev/cpuset 114 r_dir_file(dumpstate, cgroup) 115 116 # Allow dumpstate to make binder calls to any binder service 117 binder_call(dumpstate, binderservicedomain) 118 binder_call(dumpstate, { appdomain netd wificond }) 119 120 hal_client_domain(dumpstate, hal_dumpstate) 121 hal_client_domain(dumpstate, hal_graphics_allocator) 122 # Vibrate the device after we are done collecting the bugreport 123 hal_client_domain(dumpstate, hal_vibrator) 124 125 # Reading /proc/PID/maps of other processes 126 allow dumpstate self:global_capability_class_set sys_ptrace; 127 128 # Allow the bugreport service to create a file in 129 # /data/data/com.android.shell/files/bugreports/bugreport 130 allow dumpstate shell_data_file:dir create_dir_perms; 131 allow dumpstate shell_data_file:file create_file_perms; 132 133 # Run a shell. 134 allow dumpstate shell_exec:file rx_file_perms; 135 136 # For running am and similar framework commands. 137 # Run /system/bin/app_process. 138 allow dumpstate zygote_exec:file rx_file_perms; 139 # Dalvik Compiler JIT. 140 allow dumpstate ashmem_device:chr_file execute; 141 allow dumpstate self:process execmem; 142 # For art. 143 allow dumpstate dalvikcache_data_file:dir { search getattr }; 144 allow dumpstate dalvikcache_data_file:file { r_file_perms execute }; 145 allow dumpstate dalvikcache_data_file:lnk_file r_file_perms; 146 147 # For Bluetooth 148 allow dumpstate bluetooth_data_file:dir search; 149 allow dumpstate bluetooth_logs_data_file:dir r_dir_perms; 150 allow dumpstate bluetooth_logs_data_file:file r_file_perms; 151 152 # Dumpstate calls screencap, which grabs a screenshot. Needs gpu access 153 allow dumpstate gpu_device:chr_file rw_file_perms; 154 155 # logd access 156 read_logd(dumpstate) 157 control_logd(dumpstate) 158 read_runtime_log_tags(dumpstate) 159 160 # Read files in /proc 161 allow dumpstate { 162 proc_buddyinfo 163 proc_cmdline 164 proc_meminfo 165 proc_modules 166 proc_net 167 proc_pipe_conf 168 proc_pagetypeinfo 169 proc_qtaguid_stat 170 proc_version 171 proc_vmallocinfo 172 proc_vmstat 173 }:file r_file_perms; 174 175 # Read network state info files. 176 allow dumpstate net_data_file:dir search; 177 allow dumpstate net_data_file:file r_file_perms; 178 179 # List sockets via ss. 180 allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read }; 181 182 # Access /data/tombstones. 183 allow dumpstate tombstone_data_file:dir r_dir_perms; 184 allow dumpstate tombstone_data_file:file r_file_perms; 185 186 # Access /cache/recovery 187 allow dumpstate cache_recovery_file:dir r_dir_perms; 188 allow dumpstate cache_recovery_file:file r_file_perms; 189 190 # Access /data/misc/recovery 191 allow dumpstate recovery_data_file:dir r_dir_perms; 192 allow dumpstate recovery_data_file:file r_file_perms; 193 194 #Access /data/misc/update_engine_log 195 allow dumpstate update_engine_log_data_file:dir r_dir_perms; 196 allow dumpstate update_engine_log_data_file:file r_file_perms; 197 198 # Access /data/misc/profiles/{cur,ref}/ 199 userdebug_or_eng(` 200 allow dumpstate user_profile_data_file:dir r_dir_perms; 201 allow dumpstate user_profile_data_file:file r_file_perms; 202 ') 203 204 # Access /data/misc/logd 205 userdebug_or_eng(` 206 allow dumpstate misc_logd_file:dir r_dir_perms; 207 allow dumpstate misc_logd_file:file r_file_perms; 208 ') 209 210 allow dumpstate { 211 service_manager_type 212 -dumpstate_service 213 -gatekeeper_service 214 -incident_service 215 -virtual_touchpad_service 216 -vold_service 217 -vr_hwc_service 218 }:service_manager find; 219 # suppress denials for services dumpstate should not be accessing. 220 dontaudit dumpstate { 221 dumpstate_service 222 gatekeeper_service 223 incident_service 224 virtual_touchpad_service 225 vold_service 226 vr_hwc_service 227 }:service_manager find; 228 229 allow dumpstate servicemanager:service_manager list; 230 allow dumpstate hwservicemanager:hwservice_manager list; 231 232 allow dumpstate devpts:chr_file rw_file_perms; 233 234 # Set properties. 235 # dumpstate_prop is used to share state with the Shell app. 236 set_prop(dumpstate, dumpstate_prop) 237 set_prop(dumpstate, exported_dumpstate_prop) 238 # dumpstate_options_prop is used to pass extra command-line args. 239 set_prop(dumpstate, dumpstate_options_prop) 240 241 # Read any system properties 242 get_prop(dumpstate, property_type) 243 244 # Access to /data/media. 245 # This should be removed if sdcardfs is modified to alter the secontext for its 246 # accesses to the underlying FS. 247 allow dumpstate media_rw_data_file:dir getattr; 248 allow dumpstate proc_interrupts:file r_file_perms; 249 allow dumpstate proc_zoneinfo:file r_file_perms; 250 251 # Create a service for talking back to system_server 252 add_service(dumpstate, dumpstate_service) 253 254 # use /dev/ion for screen capture 255 allow dumpstate ion_device:chr_file r_file_perms; 256 257 # Allow dumpstate to run top 258 allow dumpstate proc_stat:file r_file_perms; 259 260 # Allow dumpstate to talk to installd over binder 261 binder_call(dumpstate, installd); 262 263 # Allow dumpstate to run ip xfrm policy 264 allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read }; 265 266 # Allow dumpstate to run iotop 267 allow dumpstate self:netlink_socket create_socket_perms_no_ioctl; 268 # newer kernels (e.g. 4.4) have a new class for sockets 269 allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl; 270 271 # Allow dumpstate to kill vendor dumpstate service by init 272 set_prop(dumpstate, ctl_dumpstate_prop) 273 274 ### 275 ### neverallow rules 276 ### 277 278 # dumpstate has capability sys_ptrace, but should only use that capability for 279 # accessing sensitive /proc/PID files, never for using ptrace attach. 280 neverallow dumpstate *:process ptrace; 281 282 # only system_server, dumpstate, traceur_app and shell can find the dumpstate service 283 neverallow { 284 domain 285 -system_server 286 -shell 287 -traceur_app 288 -dumpstate 289 } dumpstate_service:service_manager find; 290
