2016-10-19 23:39:30 +02:00
|
|
|
type crash_dump, domain;
|
2018-09-27 19:21:37 +02:00
|
|
|
type crash_dump_exec, system_file_type, exec_type, file_type;
|
2016-10-19 23:39:30 +02:00
|
|
|
|
2017-02-02 02:25:39 +01:00
|
|
|
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
|
|
|
|
|
# which will result in an audit log even when it's allowed to trace.
|
2017-11-09 23:51:26 +01:00
|
|
|
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
|
2017-02-02 02:25:39 +01:00
|
|
|
|
2016-10-19 23:39:30 +02:00
|
|
|
userdebug_or_eng(`
|
|
|
|
|
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
|
2017-03-28 22:09:37 +02:00
|
|
|
|
|
|
|
|
# Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
|
|
|
|
|
allow crash_dump kmsg_debug_device:chr_file { open append };
|
2016-10-19 23:39:30 +02:00
|
|
|
')
|
|
|
|
|
|
|
|
|
|
# Use inherited file descriptors
|
|
|
|
|
allow crash_dump domain:fd use;
|
2017-02-16 00:50:42 +01:00
|
|
|
|
2017-09-28 01:16:19 +02:00
|
|
|
# Read/write IPC pipes inherited from crashing processes.
|
|
|
|
|
allow crash_dump domain:fifo_file { read write };
|
|
|
|
|
|
2017-02-16 00:50:42 +01:00
|
|
|
# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
|
2017-09-28 01:16:19 +02:00
|
|
|
allow crash_dump domain:fifo_file { append };
|
2016-10-19 23:39:30 +02:00
|
|
|
|
2021-01-27 02:53:14 +01:00
|
|
|
# Read information from /proc/$PID.
|
|
|
|
|
allow crash_dump domain:process getattr;
|
|
|
|
|
|
2016-10-19 23:39:30 +02:00
|
|
|
r_dir_file(crash_dump, domain)
|
|
|
|
|
allow crash_dump exec_type:file r_file_perms;
|
|
|
|
|
|
|
|
|
|
# Read /data/dalvik-cache.
|
|
|
|
|
allow crash_dump dalvikcache_data_file:dir { search getattr };
|
|
|
|
|
allow crash_dump dalvikcache_data_file:file r_file_perms;
|
|
|
|
|
|
2020-10-16 16:29:55 +02:00
|
|
|
# Read APEX data directories.
|
|
|
|
|
allow crash_dump apex_module_data_file:dir { getattr search };
|
|
|
|
|
|
2021-08-07 02:00:39 +02:00
|
|
|
# Read uptime
|
|
|
|
|
allow crash_dump proc_uptime:file r_file_perms;
|
|
|
|
|
|
2017-02-15 01:05:36 +01:00
|
|
|
# Read APK files.
|
|
|
|
|
r_dir_file(crash_dump, apk_data_file);
|
|
|
|
|
|
2017-04-02 02:17:12 +02:00
|
|
|
# Read all /vendor
|
|
|
|
|
r_dir_file(crash_dump, { vendor_file same_process_hal_file })
|
|
|
|
|
|
2021-09-08 21:41:47 +02:00
|
|
|
# Read all /data/local/tests
|
|
|
|
|
r_dir_file(crash_dump, shell_test_data_file)
|
|
|
|
|
|
2016-10-19 23:39:30 +02:00
|
|
|
# Talk to tombstoned
|
|
|
|
|
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
|
|
|
|
|
|
|
|
|
|
# Talk to ActivityManager.
|
|
|
|
|
unix_socket_connect(crash_dump, system_ndebug, system_server)
|
|
|
|
|
|
|
|
|
|
# Append to ANR files.
|
|
|
|
|
allow crash_dump anr_data_file:file { append getattr };
|
|
|
|
|
|
|
|
|
|
# Append to tombstone files.
|
|
|
|
|
allow crash_dump tombstone_data_file:file { append getattr };
|
|
|
|
|
|
crash_dump: remove /system/bin/logcat execute permissions
Currently, crash_dump has the following line:
read_logd(crash_dump)
which is a macro defined as:
#####################################
# read_logd(domain)
# Ability to run logcat and read from android
# log daemon via sockets
define(`read_logd', `
allow $1 logcat_exec:file rx_file_perms;
unix_socket_connect($1, logdr, logd)
')
which grants both the ability to talk directly to a logd socket, as well
as the ability to execute the /system/bin/logcat command line tool.
This is unneeded (and problematic) for crash_dump. Crash_dump uses
standard, vndk approved libraries to talk directly to logd. It never
exec()s the (non-vndk approved) logcat command.
As crash_dump is a vndk approved component and executed by vendor code,
allowing this transitively makes /system/bin/logcat a vndk component
too, which we want to avoid.
Instead of using the read_logd() macro, just directly add the
unix_socket_connect() call. This allows talking directly to logd, but
blocks the use of the (unneeded) /system/bin/logcat executable.
Test: crasher binary still works when executed from adb shell
Change-Id: I1fe9d0f5f0234c96454a0d91338fa2656f083345
2018-09-13 23:20:50 +02:00
|
|
|
# crash_dump writes out logcat logs at the bottom of tombstones,
|
|
|
|
|
# which is super useful in some cases.
|
|
|
|
|
unix_socket_connect(crash_dump, logdr, logd)
|
2016-10-19 23:39:30 +02:00
|
|
|
|
2019-02-07 17:42:53 +01:00
|
|
|
# Crash dump is not intended to access the following files. Since these
|
2018-03-26 21:51:28 +02:00
|
|
|
# are WAI, suppress the denials to clean up the logs.
|
|
|
|
|
dontaudit crash_dump {
|
2018-04-10 18:55:11 +02:00
|
|
|
core_data_file_type
|
|
|
|
|
vendor_file_type
|
2018-03-26 21:51:28 +02:00
|
|
|
}:dir search;
|
2021-01-15 12:55:19 +01:00
|
|
|
dontaudit crash_dump system_data_file:{ lnk_file file } read;
|
2019-02-07 17:42:53 +01:00
|
|
|
dontaudit crash_dump property_type:file read;
|
2018-03-26 21:51:28 +02:00
|
|
|
|
2016-10-19 23:39:30 +02:00
|
|
|
###
|
|
|
|
|
### neverallow assertions
|
|
|
|
|
###
|
|
|
|
|
|
|
|
|
|
# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
|
|
|
|
|
# Do not allow the execution of crash_dump without a domain transition.
|
|
|
|
|
neverallow domain crash_dump_exec:file execute_no_trans;
|
