public/debuggerd.te

# debugger interface
type debuggerd, domain;
type debuggerd_exec, exec_type, file_type;

typeattribute debuggerd mlstrustedsubject;
allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
allow debuggerd self:capability2 { syslog };
allow debuggerd domain:dir r_dir_perms;
allow debuggerd domain:file r_file_perms;
allow debuggerd domain:lnk_file read;
allow debuggerd {
  domain
  -adbd
  -debuggerd
  -healthd
  -init
  -keystore
  -logd
  -ueventd
  -watchdogd
}:process { execmem ptrace getattr };

userdebug_or_eng(`
  allow debuggerd logd:process { execmem ptrace getattr };
')

allow debuggerd tombstone_data_file:dir rw_dir_perms;
allow debuggerd tombstone_data_file:file create_file_perms;
allow debuggerd shared_relro_file:dir r_dir_perms;
allow debuggerd shared_relro_file:file r_file_perms;
allow debuggerd domain:process { sigstop sigkill signal };
allow debuggerd { exec_type libart_file }:file r_file_perms;
allow debuggerd apk_data_file:file r_file_perms;
allow debuggerd apk_data_file:dir search;
# Access app library
allow debuggerd system_data_file:file open;
# Allow debuggerd to redirect a dump_backtrace request to itself.
# This only happens on 64 bit systems, where all requests go to the 64 bit
# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.

allow debuggerd {
  audioserver
  bluetooth
  cameraserver
  drmserver
  inputflinger
  mediacodec
  mediadrmserver
  mediaextractor
  mediaserver
  sdcardd
  surfaceflinger
}:debuggerd dump_backtrace;

# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)

userdebug_or_eng(`
  allow debuggerd input_device:dir r_dir_perms;
  allow debuggerd input_device:chr_file rw_file_perms;
')

# logd access
read_logd(debuggerd)

# Check SELinux permissions.
selinux_check_access(debuggerd)

# Read /data/dalvik-cache.
allow debuggerd dalvikcache_data_file:dir { search getattr };
allow debuggerd dalvikcache_data_file:file r_file_perms;