platform_system_sepolicy/private/crash_dump.te

typeattribute crash_dump coredomain;

# Crash dump does not need to access devices passed across exec().
dontaudit crash_dump { devpts dev_type }:chr_file { read write };

allow crash_dump {
  domain
  -apexd
  -bpfloader
  -crash_dump
  -crosvm # TODO(b/236672526): Remove exception for crosvm
  -diced
  -init
  -kernel
  -keystore
  -llkd
  -logd
  -ueventd
  -vendor_init
  -vold
}:process { ptrace signal sigchld sigstop sigkill };

userdebug_or_eng(`
  allow crash_dump {
    apexd
    keystore
    llkd
    logd
    vold
  }:process { ptrace signal sigchld sigstop sigkill };
')

# Read ART APEX data directory
allow crash_dump apex_art_data_file:dir { getattr search };
allow crash_dump apex_art_data_file:file r_file_perms;

###
### neverallow assertions
###

# sigchld not explicitly forbidden since it's part of the
# domain-transition-on-exec macros, and is by itself not sensitive
neverallow crash_dump {
  apexd
  userdebug_or_eng(`-apexd')
  bpfloader
  diced
  init
  kernel
  keystore
  userdebug_or_eng(`-keystore')
  llkd
  userdebug_or_eng(`-llkd')
  logd
  userdebug_or_eng(`-logd')
  ueventd
  vendor_init
  vold
  userdebug_or_eng(`-vold')
}:process { ptrace signal sigstop sigkill };

neverallow crash_dump self:process ptrace;
neverallow crash_dump gpu_device:chr_file *;