Blame - debuggerd.te - android_system_sepolicy

blob: 0e3cf68055f8406ea53a72d66441f35a8ebe70ff [file] [log] [blame]

Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	1	# debugger interface
Jeff Vander Stoep	d22987b	2015-11-03 09:54:39 -0800	[diff] [blame]	2	type debuggerd, domain, domain_deprecated;
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	3	type debuggerd_exec, exec_type, file_type;
				4
				5	init_daemon_domain(debuggerd)
Stephen Smalley	258cb17	2013-10-29 14:42:35 -0400	[diff] [blame]	6	typeattribute debuggerd mlstrustedsubject;
				7	allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner };
				8	allow debuggerd self:capability2 { syslog };
				9	allow debuggerd domain:dir r_dir_perms;
				10	allow debuggerd domain:file r_file_perms;
Elliott Hughes	38138c2	2014-05-16 19:14:13 -0700	[diff] [blame]	11	allow debuggerd domain:lnk_file read;
Stephen Smalley	ba99249	2014-07-24 15:25:43 -0400	[diff] [blame]	12	allow debuggerd { domain -init -ueventd -watchdogd -healthd -adbd -keystore }:process { ptrace getattr };
Stephen Smalley	258cb17	2013-10-29 14:42:35 -0400	[diff] [blame]	13	security_access_policy(debuggerd)
				14	allow debuggerd system_data_file:dir create_dir_perms;
				15	allow debuggerd system_data_file:dir relabelfrom;
Nick Kralevich	08f01a3	2013-07-12 15:38:41 -0700	[diff] [blame]	16	allow debuggerd tombstone_data_file:dir relabelto;
Stephen Smalley	258cb17	2013-10-29 14:42:35 -0400	[diff] [blame]	17	allow debuggerd tombstone_data_file:dir create_dir_perms;
				18	allow debuggerd tombstone_data_file:file create_file_perms;
dcashman	cd10eb9	2014-08-18 17:09:38 -0700	[diff] [blame]	19	allow debuggerd shared_relro_file:dir r_dir_perms;
				20	allow debuggerd shared_relro_file:file r_file_perms;
Stephen Smalley	258cb17	2013-10-29 14:42:35 -0400	[diff] [blame]	21	allow debuggerd domain:process { sigstop signal };
				22	allow debuggerd exec_type:file r_file_perms;
				23	# Access app library
				24	allow debuggerd system_data_file:file open;
Christopher Ferris	b51c4dd	2015-01-18 17:39:53 -0800	[diff] [blame]	25	# Allow debuggerd to redirect a dump_backtrace request to itself.
				26	# This only happens on 64 bit systems, where all requests go to the 64 bit
				27	# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
				28	allow debuggerd { drmserver mediaserver sdcardd surfaceflinger inputflinger }:debuggerd dump_backtrace;
Stephen Smalley	45ba665	2013-09-27 10:24:49 -0400	[diff] [blame]	29
				30	# Connect to system_server via /data/system/ndebugsocket.
				31	unix_socket_connect(debuggerd, system_ndebug, system_server)
Mark Salyzyn	8ed750e	2013-11-12 15:34:52 -0800	[diff] [blame]	32
Nick Kralevich	116a20f	2014-02-05 16:36:25 -0800	[diff] [blame]	33	userdebug_or_eng(`
				34	allow debuggerd input_device:dir r_dir_perms;
				35	allow debuggerd input_device:chr_file rw_file_perms;
				36	')
				37
Mark Salyzyn	8ed750e	2013-11-12 15:34:52 -0800	[diff] [blame]	38	# logd access
				39	read_logd(debuggerd)
Stephen Smalley	ba99249	2014-07-24 15:25:43 -0400	[diff] [blame]	40
				41	# Check SELinux permissions.
				42	selinux_check_access(debuggerd)