platform_system_sepolicy/private/crash_dump.te

typeattribute crash_dump coredomain;

# Crash dump does not need to access devices passed across exec().
dontaudit crash_dump { devpts dev_type }:chr_file { read write };

allow crash_dump {
  domain
  -apexd
  -bpfloader
  -crash_dump
  -init
  -kernel
  -keystore
  -llkd
  -logd
  -ueventd
  -vendor_init
  -vold
}:process { ptrace signal sigchld sigstop sigkill };

userdebug_or_eng(`
  allow crash_dump {
    apexd
    keystore
    llkd
    logd
    vold
  }:process { ptrace signal sigchld sigstop sigkill };
')

# Read ART APEX data directory
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;

# Allow crash dump to read bootstrap libraries
allow crash_dump system_bootstrap_lib_file:dir { getattr search };
allow crash_dump system_bootstrap_lib_file:file r_file_perms;

# Read Vendor APEX directories
allow crash_dump vendor_apex_metadata_file:dir { getattr search };

# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };

userdebug_or_eng(`
  allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };

  # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
  allow crash_dump kmsg_debug_device:chr_file { open append };
')

# Use inherited file descriptors
allow crash_dump domain:fd use;

# Read/write IPC pipes inherited from crashing processes.
allow crash_dump domain:fifo_file { read write };

# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
allow crash_dump domain:fifo_file { append };

# Read information from /proc/$PID.
allow crash_dump domain:process getattr;

r_dir_file(crash_dump, domain)
allow crash_dump exec_type:file r_file_perms;

# Read /data/dalvik-cache.
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;

# Read APEX data directories.
allow crash_dump apex_module_data_file:dir { getattr search };

# Read uptime
allow crash_dump proc_uptime:file r_file_perms;

# Read APK files.
r_dir_file(crash_dump, apk_data_file);

# Read all /vendor
r_dir_file(crash_dump, { vendor_file same_process_hal_file })

# Read all /data/local/tests
r_dir_file(crash_dump, shell_test_data_file)

# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)

# Talk to ActivityManager.
unix_socket_connect(crash_dump, system_ndebug, system_server)

# Append to ANR files.
allow crash_dump anr_data_file:file { append getattr };

# Append to tombstone files.
allow crash_dump tombstone_data_file:file { append getattr };

# crash_dump writes out logcat logs at the bottom of tombstones,
# which is super useful in some cases.
unix_socket_connect(crash_dump, logdr, logd)

# Crash dump is not intended to access the following files. Since these
# are WAI, suppress the denials to clean up the logs.
dontaudit crash_dump {
  core_data_file_type
  vendor_file_type
}:dir search;
dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;

get_prop(crash_dump, misctrl_prop)

###
### neverallow assertions
###

# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
# Do not allow the execution of crash_dump without a domain transition.
neverallow domain crash_dump_exec:file execute_no_trans;

# sigchld not explicitly forbidden since it's part of the
# domain-transition-on-exec macros, and is by itself not sensitive
neverallow crash_dump {
  apexd
  userdebug_or_eng(`-apexd')
  bpfloader
  init
  kernel
  keystore
  userdebug_or_eng(`-keystore')
  llkd
  userdebug_or_eng(`-llkd')
  logd
  userdebug_or_eng(`-logd')
  ueventd
  vendor_init
  vold
  userdebug_or_eng(`-vold')
}:process { ptrace signal sigstop sigkill };

neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95 2017-03-23 22:27:32 +01:00			`typeattribute crash_dump coredomain;`
crash_dump: disallow ptrace of TCB components Remove permissions and add neverallow assertion. (cherry picked from commit f1554f1588eab05eca7eb7ccba41d5955a563837) Bug: 110107376 Test: kill -6 <components excluded from ptrace> Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c 2018-06-14 07:10:37 +02:00
crash_dump: dontaudit devices passed by exec() avc: denied { read } for comm="crash_dump64" name="v4l-touch22" dev="tmpfs" ino=18821 scontext=u:r:crash_dump:s0 tcontext=u:object_r:input_device:s0 tclass=chr_file Test: build Change-Id: Iac66b77ad255c950b21fd267c88fdbc382be2877 2019-03-14 04:50:25 +01:00			`# Crash dump does not need to access devices passed across exec().`
crash_dump: suppress devpts denials The following denial caused a presubmit failure: 06-15 15:16:24.176 956 956 I auditd : type=1400 audit(0.0:4): avc: denied { read write } for comm="crash_dump64" path="/dev/pts/3" dev="devpts" ino=6 scontext=u:r:crash_dump:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file permissive=0 Suppress these denials. They are not needed by crash_dump and are only caused by the default behavior of sharing FDs across exec. Test: build Change-Id: I183f7a54e6b807fdf46b04d67dd4b819d4f0e507 2019-03-18 18:29:27 +01:00			`dontaudit crash_dump { devpts dev_type }:chr_file { read write };`
crash_dump: dontaudit gpu_device access And add neverallow so that it's removed from partner policy if it was added there due to denials. Fixes: 124476401 Test: build Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05 2019-02-15 19:29:38 +01:00
crash_dump: disallow ptrace of TCB components Remove permissions and add neverallow assertion. (cherry picked from commit f1554f1588eab05eca7eb7ccba41d5955a563837) Bug: 110107376 Test: kill -6 <components excluded from ptrace> Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c 2018-06-14 07:10:37 +02:00			`allow crash_dump {`
			`domain`
Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97 2018-08-17 09:35:42 +02:00			`-apexd`
crash_dump: disallow ptrace of TCB components Remove permissions and add neverallow assertion. (cherry picked from commit f1554f1588eab05eca7eb7ccba41d5955a563837) Bug: 110107376 Test: kill -6 <components excluded from ptrace> Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c 2018-06-14 07:10:37 +02:00			`-bpfloader`
			`-crash_dump`
			`-init`
			`-kernel`
			`-keystore`
llkd: Add stack symbol checking llkd needs the ptrace capabilities and dac override to monitor for live lock conditions on the stack dumps. Test: compile Bug: 33808187 Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126 2018-08-08 01:03:47 +02:00			`-llkd`
crash_dump: disallow ptrace of TCB components Remove permissions and add neverallow assertion. (cherry picked from commit f1554f1588eab05eca7eb7ccba41d5955a563837) Bug: 110107376 Test: kill -6 <components excluded from ptrace> Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c 2018-06-14 07:10:37 +02:00			`-logd`
			`-ueventd`
			`-vendor_init`
			`-vold`
			`}:process { ptrace signal sigchld sigstop sigkill };`
Allowing userdebug/eng builds crash dump access to ks This will make debugging of keystore issues in dogfood populations much easier than it previously was, as developers will have detailed crash dump reporting on any issues that do occur. Bug: 186868271 Bug: 184006658 Test: crash dumps appear if keystore2 explodes Change-Id: Ifb36cbf96eb063c9290905178b2fdc5934050b99 2021-04-30 20:08:07 +02:00
llkd: Add stack symbol checking llkd needs the ptrace capabilities and dac override to monitor for live lock conditions on the stack dumps. Test: compile Bug: 33808187 Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126 2018-08-08 01:03:47 +02:00			userdebug_or_eng(`
Allowing userdebug/eng builds crash dump access to ks This will make debugging of keystore issues in dogfood populations much easier than it previously was, as developers will have detailed crash dump reporting on any issues that do occur. Bug: 186868271 Bug: 184006658 Test: crash dumps appear if keystore2 explodes Change-Id: Ifb36cbf96eb063c9290905178b2fdc5934050b99 2021-04-30 20:08:07 +02:00			`allow crash_dump {`
			`apexd`
			`keystore`
			`llkd`
			`logd`
			`vold`
			`}:process { ptrace signal sigchld sigstop sigkill };`
llkd: Add stack symbol checking llkd needs the ptrace capabilities and dac override to monitor for live lock conditions on the stack dumps. Test: compile Bug: 33808187 Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126 2018-08-08 01:03:47 +02:00			`')`
crash_dump: disallow ptrace of TCB components Remove permissions and add neverallow assertion. (cherry picked from commit f1554f1588eab05eca7eb7ccba41d5955a563837) Bug: 110107376 Test: kill -6 <components excluded from ptrace> Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c 2018-06-14 07:10:37 +02:00
sepolicy: rework perfetto producer/profiler rules for "user" builds This patch: * allows for heap and perf profiling of all processes on the system (minus undumpable and otherwise incompatible domains). For apps, the rest of the platform will still perform checks based on profileable/debuggable manifest flags. For native processes, the profilers will check that the process runs as an allowlisted UID. * allows for all apps (=appdomain) to act as perfetto tracing data writers (=perfetto_producer) for the ART java heap graph plugin (perfetto_hprof). * allows for system_server to act a perfetto_producer for java heap graphs. Bug: 247858731 Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6 2023-02-02 15:24:45 +01:00			`# Read ART APEX data directory`
			`allow crash_dump apex_art_data_file:dir { getattr search };`
			`allow crash_dump apex_art_data_file:file r_file_perms;`

crash_dump: read bootstrap libs Required for nicer stacks for crashes and ANRs, etc.. Bug: N/A Test: adb shell am hang, check servicemanager section no longer displays warnings now that that it is dumped by watchdog Change-Id: I49a93c1fec9c3219c11dc1a82440c7c2a1944010 2023-12-06 02:42:29 +01:00			`# Allow crash dump to read bootstrap libraries`
			`allow crash_dump system_bootstrap_lib_file:dir { getattr search };`
			`allow crash_dump system_bootstrap_lib_file:file r_file_perms;`

Allow crash_dump to read vendor apex dir. Bug: 298699169 Test: crash dumps from a binary in vendor apex Change-Id: I4eb2c4162ae2e78ef126987e7de0f838b6db205c 2023-09-05 10:51:38 +02:00			`# Read Vendor APEX directories`
			`allow crash_dump vendor_apex_metadata_file:dir { getattr search };`

Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged \| grep "^-" \| cut -b2- \| sort) \ <(git diff --staged \| grep "^+" \| cut -b2- \| sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12 2024-03-27 09:18:41 +01:00			`# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,`
			`# which will result in an audit log even when it's allowed to trace.`
			`dontaudit crash_dump self:global_capability_class_set { sys_ptrace };`

			userdebug_or_eng(`
			`allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };`

			`# Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.`
			`allow crash_dump kmsg_debug_device:chr_file { open append };`
			`')`

			`# Use inherited file descriptors`
			`allow crash_dump domain:fd use;`

			`# Read/write IPC pipes inherited from crashing processes.`
			`allow crash_dump domain:fifo_file { read write };`

			`# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)`
			`allow crash_dump domain:fifo_file { append };`

			`# Read information from /proc/$PID.`
			`allow crash_dump domain:process getattr;`

			`r_dir_file(crash_dump, domain)`
			`allow crash_dump exec_type:file r_file_perms;`

			`# Read /data/dalvik-cache.`
			`allow crash_dump dalvikcache_data_file:dir { search getattr };`
			`allow crash_dump dalvikcache_data_file:file r_file_perms;`

			`# Read APEX data directories.`
			`allow crash_dump apex_module_data_file:dir { getattr search };`

			`# Read uptime`
			`allow crash_dump proc_uptime:file r_file_perms;`

			`# Read APK files.`
			`r_dir_file(crash_dump, apk_data_file);`

			`# Read all /vendor`
			`r_dir_file(crash_dump, { vendor_file same_process_hal_file })`

			`# Read all /data/local/tests`
			`r_dir_file(crash_dump, shell_test_data_file)`

			`# Talk to tombstoned`
			`unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)`

			`# Talk to ActivityManager.`
			`unix_socket_connect(crash_dump, system_ndebug, system_server)`

			`# Append to ANR files.`
			`allow crash_dump anr_data_file:file { append getattr };`

			`# Append to tombstone files.`
			`allow crash_dump tombstone_data_file:file { append getattr };`

			`# crash_dump writes out logcat logs at the bottom of tombstones,`
			`# which is super useful in some cases.`
			`unix_socket_connect(crash_dump, logdr, logd)`

			`# Crash dump is not intended to access the following files. Since these`
			`# are WAI, suppress the denials to clean up the logs.`
			`dontaudit crash_dump {`
			`core_data_file_type`
			`vendor_file_type`
			`}:dir search;`
			`dontaudit crash_dump system_data_file:{ lnk_file file } read;`
			`dontaudit crash_dump property_type:file read;`

Allow crash_dump to read misctrl properties This is used to determine if the device has been in 16k page size mode to help debug issues with that. Test: debuggerd_test with ro.misctl.16kb_before="1" Bug: 335247092 Change-Id: I7b5fcd39cc5b3247d866814fbcf53299d68846c2 2024-05-04 02:50:52 +02:00			`get_prop(crash_dump, misctrl_prop)`

Strengthen ptrace neverallow rules Add additional compile time constraints on the ability to ptrace various sensitive domains. llkd: remove some domains which llkd should never ptrace, even on debuggable builds, such as kernel threads and init. crash_dump neverallows: Remove the ptrace neverallow checks because it duplicates other neverallow assertions spread throughout the policy. Test: policy compiles and device boots Change-Id: Ia4240d1ce7143b983bb048e046bb4729d0af5a6e 2018-09-13 20:07:14 +02:00			`###`
			`### neverallow assertions`
			`###`

Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged \| grep "^-" \| cut -b2- \| sort) \ <(git diff --staged \| grep "^+" \| cut -b2- \| sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12 2024-03-27 09:18:41 +01:00			`# A domain transition must occur for crash_dump to get the privileges needed to trace the process.`
			`# Do not allow the execution of crash_dump without a domain transition.`
			`neverallow domain crash_dump_exec:file execute_no_trans;`

sepolicy: rework perfetto producer/profiler rules for "user" builds This patch: * allows for heap and perf profiling of all processes on the system (minus undumpable and otherwise incompatible domains). For apps, the rest of the platform will still perform checks based on profileable/debuggable manifest flags. For native processes, the profilers will check that the process runs as an allowlisted UID. * allows for all apps (=appdomain) to act as perfetto tracing data writers (=perfetto_producer) for the ART java heap graph plugin (perfetto_hprof). * allows for system_server to act a perfetto_producer for java heap graphs. Bug: 247858731 Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6 2023-02-02 15:24:45 +01:00			`# sigchld not explicitly forbidden since it's part of the`
			`# domain-transition-on-exec macros, and is by itself not sensitive`
crash_dump: disallow ptrace of TCB components Remove permissions and add neverallow assertion. (cherry picked from commit f1554f1588eab05eca7eb7ccba41d5955a563837) Bug: 110107376 Test: kill -6 <components excluded from ptrace> Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c 2018-06-14 07:10:37 +02:00			`neverallow crash_dump {`
Sepolicy: Allow crash_dump to ptrace apexd in userdebug In userdebug, for better diagnostics, allow crash_dump to "connect to" apexd. Considering apexd is quite powerful, user devices remain restricted. Bug: 118771487 Test: m Change-Id: Id42bd2ad7505cd5578138bfccd8840acba9a334d 2019-03-05 17:36:36 +01:00			`apexd`
			userdebug_or_eng(`-apexd')
crash_dump: disallow ptrace of TCB components Remove permissions and add neverallow assertion. (cherry picked from commit f1554f1588eab05eca7eb7ccba41d5955a563837) Bug: 110107376 Test: kill -6 <components excluded from ptrace> Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c 2018-06-14 07:10:37 +02:00			`bpfloader`
			`init`
			`kernel`
			`keystore`
Allowing userdebug/eng builds crash dump access to ks This will make debugging of keystore issues in dogfood populations much easier than it previously was, as developers will have detailed crash dump reporting on any issues that do occur. Bug: 186868271 Bug: 184006658 Test: crash dumps appear if keystore2 explodes Change-Id: Ifb36cbf96eb063c9290905178b2fdc5934050b99 2021-04-30 20:08:07 +02:00			userdebug_or_eng(`-keystore')
llkd: Add stack symbol checking llkd needs the ptrace capabilities and dac override to monitor for live lock conditions on the stack dumps. Test: compile Bug: 33808187 Change-Id: Ibc1e4cc10395fa9685c4ef0ca214daf212a5e126 2018-08-08 01:03:47 +02:00			`llkd`
			userdebug_or_eng(`-llkd')
crash_dump: disallow ptrace of TCB components Remove permissions and add neverallow assertion. (cherry picked from commit f1554f1588eab05eca7eb7ccba41d5955a563837) Bug: 110107376 Test: kill -6 <components excluded from ptrace> Change-Id: I2dc872f5c02749fbaf8ca6bc7e3e38404151442c 2018-06-14 07:10:37 +02:00			`logd`
			userdebug_or_eng(`-logd')
			`ueventd`
			`vendor_init`
			`vold`
Allow system watchdog to collect traces from vold. We're investigating a bug where vold gets wedged, and we need to collect ANR stack traces from it to debug further. avc: denied { signal } for comm="watchdog" scontext=u:r:system_server:s0 tcontext=u:r:vold:s0 tclass=process permissive=0 avc: denied { ptrace } for scontext=u:r:crash_dump:s0 tcontext=u:r:vold:s0 tclass=process permissive=0 Bug: 122090837 Test: manual Change-Id: I738e63717715189b9ae2317472f671e3563afaa9 2019-02-05 22:39:02 +01:00			userdebug_or_eng(`-vold')
sepolicy: rework perfetto producer/profiler rules for "user" builds This patch: * allows for heap and perf profiling of all processes on the system (minus undumpable and otherwise incompatible domains). For apps, the rest of the platform will still perform checks based on profileable/debuggable manifest flags. For native processes, the profilers will check that the process runs as an allowlisted UID. * allows for all apps (=appdomain) to act as perfetto tracing data writers (=perfetto_producer) for the ART java heap graph plugin (perfetto_hprof). * allows for system_server to act a perfetto_producer for java heap graphs. Bug: 247858731 Change-Id: I792ec1812d94b4fa9a8688ed74f2f62f6a7f33a6 2023-02-02 15:24:45 +01:00			`}:process { ptrace signal sigstop sigkill };`
Ensure crash_dump cannot be allowed to ptrace itself. This is not needed and could conceivably be abused. Test: Builds. Bug: 110107376 Change-Id: I73f301439af435fe40b3902409964cdf6e2c7dd5 2018-09-03 18:27:54 +02:00
			`neverallow crash_dump self:process ptrace;`
crash_dump: dontaudit gpu_device access And add neverallow so that it's removed from partner policy if it was added there due to denials. Fixes: 124476401 Test: build Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05 2019-02-15 19:29:38 +01:00			`neverallow crash_dump gpu_device:chr_file *;`