504a654983
And add neverallow so that it's removed from partner policy if it was added there due to denials. Fixes: 124476401 Test: build Change-Id: I16903ba43f34011a0753b5267c35425dc7145f05
47 lines
917 B
Text
47 lines
917 B
Text
typeattribute crash_dump coredomain;
|
|
|
|
# Crash dump does not need to access the GPU.
|
|
dontaudit crash_dump gpu_device:chr_file *;
|
|
|
|
allow crash_dump {
|
|
domain
|
|
-apexd
|
|
-bpfloader
|
|
-crash_dump
|
|
-init
|
|
-kernel
|
|
-keystore
|
|
-llkd
|
|
-logd
|
|
-ueventd
|
|
-vendor_init
|
|
-vold
|
|
}:process { ptrace signal sigchld sigstop sigkill };
|
|
userdebug_or_eng(`
|
|
allow crash_dump { llkd logd vold }:process { ptrace signal sigchld sigstop sigkill };
|
|
')
|
|
|
|
###
|
|
### neverallow assertions
|
|
###
|
|
|
|
# ptrace neverallow assertions are spread throughout the other policy
|
|
# files, so we avoid adding redundant assertions here
|
|
|
|
neverallow crash_dump {
|
|
bpfloader
|
|
init
|
|
kernel
|
|
keystore
|
|
llkd
|
|
userdebug_or_eng(`-llkd')
|
|
logd
|
|
userdebug_or_eng(`-logd')
|
|
ueventd
|
|
vendor_init
|
|
vold
|
|
userdebug_or_eng(`-vold')
|
|
}:process { signal sigstop sigkill };
|
|
|
|
neverallow crash_dump self:process ptrace;
|
|
neverallow crash_dump gpu_device:chr_file *;
|