typeattribute crash_dump coredomain;

# Crash dump does not need to access devices passed across exec().
dontaudit crash_dump { devpts dev_type }:chr_file { read write };

allow crash_dump {
  domain
  -apexd
  -bpfloader
  -crash_dump
  -init
  -kernel
  -keystore
  -llkd
  -logd
  -ueventd
  -vendor_init
  -vold
}:process { ptrace signal sigchld sigstop sigkill };

userdebug_or_eng(`
  allow crash_dump {
    apexd
    keystore
    llkd
    logd
    vold
  }:process { ptrace signal sigchld sigstop sigkill };
')

# Read ART APEX data directory
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;

# Allow crash dump to read bootstrap libraries
allow crash_dump system_bootstrap_lib_file:dir { getattr search };
allow crash_dump system_bootstrap_lib_file:file r_file_perms;

# Read Vendor APEX directories
allow crash_dump vendor_apex_metadata_file:dir { getattr search };

# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
# which will result in an audit log even when it's allowed to trace.
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };

userdebug_or_eng(`
  allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };

  # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
  allow crash_dump kmsg_debug_device:chr_file { open append };
')

# Use inherited file descriptors
allow crash_dump domain:fd use;

# Read/write IPC pipes inherited from crashing processes.
allow crash_dump domain:fifo_file { read write };

# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
allow crash_dump domain:fifo_file { append };

# Read information from /proc/$PID.
allow crash_dump domain:process getattr;

r_dir_file(crash_dump, domain)
allow crash_dump exec_type:file r_file_perms;

# Read /data/dalvik-cache.
allow crash_dump dalvikcache_data_file:dir { search getattr };
allow crash_dump dalvikcache_data_file:file r_file_perms;

# Read APEX data directories.
allow crash_dump apex_module_data_file:dir { getattr search };

# Read uptime
allow crash_dump proc_uptime:file r_file_perms;

# Read APK files.
r_dir_file(crash_dump, apk_data_file);

# Read all /vendor
r_dir_file(crash_dump, { vendor_file same_process_hal_file })

# Read all /data/local/tests
r_dir_file(crash_dump, shell_test_data_file)

# Talk to tombstoned
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)

# Talk to ActivityManager.
unix_socket_connect(crash_dump, system_ndebug, system_server)

# Append to ANR files.
allow crash_dump anr_data_file:file { append getattr };

# Append to tombstone files.
allow crash_dump tombstone_data_file:file { append getattr };

# crash_dump writes out logcat logs at the bottom of tombstones,
# which is super useful in some cases.
unix_socket_connect(crash_dump, logdr, logd)

# Crash dump is not intended to access the following files. Since these
# are WAI, suppress the denials to clean up the logs.
dontaudit crash_dump {
  core_data_file_type
  vendor_file_type
}:dir search;
dontaudit crash_dump system_data_file:{ lnk_file file } read;
dontaudit crash_dump property_type:file read;

get_prop(crash_dump, misctrl_prop)

###
### neverallow assertions
###

# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
# Do not allow the execution of crash_dump without a domain transition.
neverallow domain crash_dump_exec:file execute_no_trans;

# sigchld not explicitly forbidden since it's part of the
# domain-transition-on-exec macros, and is by itself not sensitive
neverallow crash_dump {
  apexd
  userdebug_or_eng(`-apexd')
  bpfloader
  init
  kernel
  keystore
  userdebug_or_eng(`-keystore')
  llkd
  userdebug_or_eng(`-llkd')
  logd
  userdebug_or_eng(`-logd')
  ueventd
  vendor_init
  vold
  userdebug_or_eng(`-vold')
}:process { ptrace signal sigstop sigkill };

neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;