f09391624a
This will make debugging of keystore issues in dogfood populations much easier than it previously was, as developers will have detailed crash dump reporting on any issues that do occur. Bug: 186868271 Bug: 184006658 Test: crash dumps appear if keystore2 explodes Change-Id: Ifb36cbf96eb063c9290905178b2fdc5934050b99
62 lines
1.3 KiB
Text
62 lines
1.3 KiB
Text
typeattribute crash_dump coredomain;
|
|
|
|
# Crash dump does not need to access devices passed across exec().
|
|
dontaudit crash_dump { devpts dev_type }:chr_file { read write };
|
|
|
|
allow crash_dump {
|
|
domain
|
|
-apexd
|
|
-bpfloader
|
|
-crash_dump
|
|
-init
|
|
-kernel
|
|
-keystore
|
|
-llkd
|
|
-logd
|
|
-ueventd
|
|
-vendor_init
|
|
-vold
|
|
}:process { ptrace signal sigchld sigstop sigkill };
|
|
|
|
# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
|
|
userdebug_or_eng(`
|
|
allow crash_dump {
|
|
apexd
|
|
keystore
|
|
llkd
|
|
logd
|
|
vold
|
|
}:process { ptrace signal sigchld sigstop sigkill };
|
|
')
|
|
|
|
###
|
|
### neverallow assertions
|
|
###
|
|
|
|
# ptrace neverallow assertions are spread throughout the other policy
|
|
# files, so we avoid adding redundant assertions here
|
|
|
|
neverallow crash_dump {
|
|
apexd
|
|
userdebug_or_eng(`-apexd')
|
|
bpfloader
|
|
init
|
|
kernel
|
|
keystore
|
|
userdebug_or_eng(`-keystore')
|
|
llkd
|
|
userdebug_or_eng(`-llkd')
|
|
logd
|
|
userdebug_or_eng(`-logd')
|
|
ueventd
|
|
vendor_init
|
|
vold
|
|
userdebug_or_eng(`-vold')
|
|
}:process { signal sigstop sigkill };
|
|
|
|
neverallow crash_dump self:process ptrace;
|
|
neverallow crash_dump gpu_device:chr_file *;
|
|
|
|
# Read ART APEX data directory
|
|
allow crash_dump apex_art_data_file:dir { getattr search };
|
|
allow crash_dump apex_art_data_file:file r_file_perms;
|