platform_system_sepolicy/dumpstate.te

# dumpstate
type dumpstate, domain, mlstrustedsubject;
type dumpstate_exec, exec_type, file_type;

init_daemon_domain(dumpstate)
net_domain(dumpstate)
binder_use(dumpstate)

# Allow setting process priority, protect from OOM killer, and dropping
# privileges by switching UID / GID
allow dumpstate self:capability { setuid setgid sys_resource };

# Allow dumpstate to scan through /proc/pid for all processes
r_dir_file(dumpstate, domain)

# Send signals to processes
allow dumpstate self:capability kill;

# Allow executing files on system, such as:
#   /system/bin/toolbox
#   /system/bin/logcat
#   /system/bin/dumpsys
allow dumpstate system_file:file execute_no_trans;

# Create and write into /data/anr/
allow dumpstate self:capability { dac_override chown fowner fsetid };
allow dumpstate anr_data_file:dir { rw_dir_perms relabelto };
allow dumpstate anr_data_file:file create_file_perms;
allow dumpstate system_data_file:dir { create_dir_perms relabelfrom };

# Allow reading /data/system/uiderrors.txt
# TODO: scope this down.
allow dumpstate system_data_file:file r_file_perms;

# Read dmesg
allow dumpstate self:capability2 syslog;
allow dumpstate kernel:system syslog_read;

# Read /sys/fs/pstore/console-ramoops
allow dumpstate pstorefs:dir r_dir_perms;
allow dumpstate pstorefs:file r_file_perms;

# Get process attributes
allow dumpstate domain:process getattr;

# Signal java processes to dump their stack
allow dumpstate { appdomain system_server }:process signal;

# Signal native processes to dump their stack.
# This list comes from native_processes_to_dump in dumpstate/utils.c
allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
# Ask debuggerd for the backtraces of these processes.
allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;

# Execute and transition to the vdc domain
domain_auto_trans(dumpstate, vdc_exec, vdc)

# Vibrate the device after we're done collecting the bugreport
# /sys/class/timed_output/vibrator/enable
# TODO: create a new file class, instead of allowing write access to all of /sys
allow dumpstate sysfs:file w_file_perms;

# Other random bits of data we want to collect
allow dumpstate proc_net:dir search;
allow dumpstate qtaguid_proc:file r_file_perms;
allow dumpstate debugfs:file r_file_perms;

# Allow dumpstate to make binder calls to any binder service
binder_call(dumpstate, binderservicedomain)
binder_call(dumpstate, appdomain)

# Reading /proc/PID/maps of other processes
allow dumpstate self:capability sys_ptrace;

# Allow the bugreport service to create a file in
# /data/data/com.android.shell/files/bugreports/bugreport
allow dumpstate shell_data_file:dir create_dir_perms;
allow dumpstate shell_data_file:file create_file_perms;

# Run a shell.
allow dumpstate shell_exec:file rx_file_perms;

# For running am and similar framework commands.
# Run /system/bin/app_process.
allow dumpstate zygote_exec:file rx_file_perms;
# Dalvik Compiler JIT.
allow dumpstate ashmem_device:chr_file execute;
allow dumpstate dumpstate_tmpfs:file execute;
allow dumpstate self:process execmem;
# For art.
allow dumpstate dalvikcache_data_file:file execute;

# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
allow dumpstate gpu_device:chr_file rw_file_perms;

# logd access
read_logd(dumpstate)
control_logd(dumpstate)

# Read network state info files.
allow dumpstate net_data_file:dir search;
allow dumpstate net_data_file:file r_file_perms;

# Access /data/tombstones.
allow dumpstate tombstone_data_file:dir r_dir_perms;
allow dumpstate tombstone_data_file:file r_file_perms;

allow dumpstate {
    drmserver_service
    healthd_service
    inputflinger_service
    keystore_service
    mediaserver_service
    nfc_service
    radio_service
    surfaceflinger_service
    system_app_service
    system_server_service
    tmp_system_server_service
}:service_manager find;

allow dumpstate servicemanager:service_manager list;

allow dumpstate devpts:chr_file rw_file_perms;