75806ef3c5
Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
141 lines
3.9 KiB
Text
141 lines
3.9 KiB
Text
typeattribute crash_dump coredomain;
|
|
|
|
# Crash dump does not need to access devices passed across exec().
|
|
dontaudit crash_dump { devpts dev_type }:chr_file { read write };
|
|
|
|
allow crash_dump {
|
|
domain
|
|
-apexd
|
|
-bpfloader
|
|
-crash_dump
|
|
-init
|
|
-kernel
|
|
-keystore
|
|
-llkd
|
|
-logd
|
|
-ueventd
|
|
-vendor_init
|
|
-vold
|
|
}:process { ptrace signal sigchld sigstop sigkill };
|
|
|
|
userdebug_or_eng(`
|
|
allow crash_dump {
|
|
apexd
|
|
keystore
|
|
llkd
|
|
logd
|
|
vold
|
|
}:process { ptrace signal sigchld sigstop sigkill };
|
|
')
|
|
|
|
# Read ART APEX data directory
|
|
allow crash_dump apex_art_data_file:dir { getattr search };
|
|
allow crash_dump apex_art_data_file:file r_file_perms;
|
|
|
|
# Allow crash dump to read bootstrap libraries
|
|
allow crash_dump system_bootstrap_lib_file:dir { getattr search };
|
|
allow crash_dump system_bootstrap_lib_file:file r_file_perms;
|
|
|
|
# Read Vendor APEX directories
|
|
allow crash_dump vendor_apex_metadata_file:dir { getattr search };
|
|
|
|
# crash_dump might inherit CAP_SYS_PTRACE from a privileged process,
|
|
# which will result in an audit log even when it's allowed to trace.
|
|
dontaudit crash_dump self:global_capability_class_set { sys_ptrace };
|
|
|
|
userdebug_or_eng(`
|
|
allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill };
|
|
|
|
# Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up.
|
|
allow crash_dump kmsg_debug_device:chr_file { open append };
|
|
')
|
|
|
|
# Use inherited file descriptors
|
|
allow crash_dump domain:fd use;
|
|
|
|
# Read/write IPC pipes inherited from crashing processes.
|
|
allow crash_dump domain:fifo_file { read write };
|
|
|
|
# Append to pipes given to us by processes requesting dumps (e.g. dumpstate)
|
|
allow crash_dump domain:fifo_file { append };
|
|
|
|
# Read information from /proc/$PID.
|
|
allow crash_dump domain:process getattr;
|
|
|
|
r_dir_file(crash_dump, domain)
|
|
allow crash_dump exec_type:file r_file_perms;
|
|
|
|
# Read /data/dalvik-cache.
|
|
allow crash_dump dalvikcache_data_file:dir { search getattr };
|
|
allow crash_dump dalvikcache_data_file:file r_file_perms;
|
|
|
|
# Read APEX data directories.
|
|
allow crash_dump apex_module_data_file:dir { getattr search };
|
|
|
|
# Read uptime
|
|
allow crash_dump proc_uptime:file r_file_perms;
|
|
|
|
# Read APK files.
|
|
r_dir_file(crash_dump, apk_data_file);
|
|
|
|
# Read all /vendor
|
|
r_dir_file(crash_dump, { vendor_file same_process_hal_file })
|
|
|
|
# Read all /data/local/tests
|
|
r_dir_file(crash_dump, shell_test_data_file)
|
|
|
|
# Talk to tombstoned
|
|
unix_socket_connect(crash_dump, tombstoned_crash, tombstoned)
|
|
|
|
# Talk to ActivityManager.
|
|
unix_socket_connect(crash_dump, system_ndebug, system_server)
|
|
|
|
# Append to ANR files.
|
|
allow crash_dump anr_data_file:file { append getattr };
|
|
|
|
# Append to tombstone files.
|
|
allow crash_dump tombstone_data_file:file { append getattr };
|
|
|
|
# crash_dump writes out logcat logs at the bottom of tombstones,
|
|
# which is super useful in some cases.
|
|
unix_socket_connect(crash_dump, logdr, logd)
|
|
|
|
# Crash dump is not intended to access the following files. Since these
|
|
# are WAI, suppress the denials to clean up the logs.
|
|
dontaudit crash_dump {
|
|
core_data_file_type
|
|
vendor_file_type
|
|
}:dir search;
|
|
dontaudit crash_dump system_data_file:{ lnk_file file } read;
|
|
dontaudit crash_dump property_type:file read;
|
|
|
|
###
|
|
### neverallow assertions
|
|
###
|
|
|
|
# A domain transition must occur for crash_dump to get the privileges needed to trace the process.
|
|
# Do not allow the execution of crash_dump without a domain transition.
|
|
neverallow domain crash_dump_exec:file execute_no_trans;
|
|
|
|
# sigchld not explicitly forbidden since it's part of the
|
|
# domain-transition-on-exec macros, and is by itself not sensitive
|
|
neverallow crash_dump {
|
|
apexd
|
|
userdebug_or_eng(`-apexd')
|
|
bpfloader
|
|
init
|
|
kernel
|
|
keystore
|
|
userdebug_or_eng(`-keystore')
|
|
llkd
|
|
userdebug_or_eng(`-llkd')
|
|
logd
|
|
userdebug_or_eng(`-logd')
|
|
ueventd
|
|
vendor_init
|
|
vold
|
|
userdebug_or_eng(`-vold')
|
|
}:process { ptrace signal sigstop sigkill };
|
|
|
|
neverallow crash_dump self:process ptrace;
|
|
neverallow crash_dump gpu_device:chr_file *;
|