platform_system_sepolicy/private/crash_dump.te
Janis Danisevskis 2b6c6063ae Diced: Add policy for diced the DICE daemon.
Bug: 198197213
Test: N/A
Change-Id: I5d0b06e3cd0c594cff6120856ca3bb4f7c1dd98d
2021-11-17 13:36:18 -08:00

64 lines
1.3 KiB
Text

typeattribute crash_dump coredomain;
# Crash dump does not need to access devices passed across exec().
dontaudit crash_dump { devpts dev_type }:chr_file { read write };
allow crash_dump {
domain
-apexd
-bpfloader
-crash_dump
-diced
-init
-kernel
-keystore
-llkd
-logd
-ueventd
-vendor_init
-vold
}:process { ptrace signal sigchld sigstop sigkill };
# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
userdebug_or_eng(`
allow crash_dump {
apexd
keystore
llkd
logd
vold
}:process { ptrace signal sigchld sigstop sigkill };
')
###
### neverallow assertions
###
# ptrace neverallow assertions are spread throughout the other policy
# files, so we avoid adding redundant assertions here
neverallow crash_dump {
apexd
userdebug_or_eng(`-apexd')
bpfloader
diced
init
kernel
keystore
userdebug_or_eng(`-keystore')
llkd
userdebug_or_eng(`-llkd')
logd
userdebug_or_eng(`-logd')
ueventd
vendor_init
vold
userdebug_or_eng(`-vold')
}:process { signal sigstop sigkill };
neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;
# Read ART APEX data directory
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;