Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / cb5f4a3dd8acd5c58bb2f0e65c6b4c256a1ec614 / . / public / debuggerd.te
blob: 0222e347039486df5064232bc57423257c1482c5 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1# debugger interface
Jeff Vander Stoepd22987b2015-11-03 09:54:39 -0800[diff] [blame]2type debuggerd, domain, domain_deprecated;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]3type debuggerd_exec, exec_type, file_type;
4
Stephen Smalley258cb172013-10-29 14:42:35 -0400[diff] [blame]5typeattribute debuggerd mlstrustedsubject;
Josh Gao2b93db72015-11-17 16:21:38 -0800[diff] [blame]6allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid };
Stephen Smalley258cb172013-10-29 14:42:35 -0400[diff] [blame]7allow debuggerd self:capability2 { syslog };
8allow debuggerd domain:dir r_dir_perms;
9allow debuggerd domain:file r_file_perms;
Elliott Hughes38138c22014-05-16 19:14:13 -0700[diff] [blame]10allow debuggerd domain:lnk_file read;
Nick Kralevich2d6fa722016-04-27 12:32:36 -0700[diff] [blame]11allow debuggerd {
12 domain
13 -adbd
14 -debuggerd
15 -healthd
16 -init
17 -keystore
Nick Kralevichcb5f4a32016-12-05 14:01:28 -0800[diff] [blame^]18 -logd
Nick Kralevich2d6fa722016-04-27 12:32:36 -0700[diff] [blame]19 -ueventd
20 -watchdogd
Janis Danisevskis071b9352016-09-14 10:00:13 +0100[diff] [blame]21}:process { execmem ptrace getattr };
Nick Kralevichcb5f4a32016-12-05 14:01:28 -0800[diff] [blame^]22
23userdebug_or_eng(`
24 allow debuggerd logd:process { execmem ptrace getattr };
25')
26
Josh Gao2b93db72015-11-17 16:21:38 -0800[diff] [blame]27allow debuggerd tombstone_data_file:dir rw_dir_perms;
Stephen Smalley258cb172013-10-29 14:42:35 -0400[diff] [blame]28allow debuggerd tombstone_data_file:file create_file_perms;
dcashmancd10eb92014-08-18 17:09:38 -0700[diff] [blame]29allow debuggerd shared_relro_file:dir r_dir_perms;
30allow debuggerd shared_relro_file:file r_file_perms;
Josh Gao48141c32016-03-08 18:02:15 -0800[diff] [blame]31allow debuggerd domain:process { sigstop sigkill signal };
Nick Kralevich364fd192016-11-08 09:08:55 -0800[diff] [blame]32allow debuggerd { exec_type libart_file }:file r_file_perms;
Stephen Smalley258cb172013-10-29 14:42:35 -0400[diff] [blame]33# Access app library
34allow debuggerd system_data_file:file open;
Christopher Ferrisb51c4dd2015-01-18 17:39:53 -0800[diff] [blame]35# Allow debuggerd to redirect a dump_backtrace request to itself.
36# This only happens on 64 bit systems, where all requests go to the 64 bit
37# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit.
Chien-Yu Chene0378302015-12-03 16:10:05 -0800[diff] [blame]38
Andreas Gampe0983db42016-05-11 18:40:27 -0700[diff] [blame]39allow debuggerd {
40 audioserver
Andreas Gampecbfa8dd2016-05-12 17:28:34 -0700[diff] [blame]41 bluetooth
Andreas Gampe0983db42016-05-11 18:40:27 -0700[diff] [blame]42 cameraserver
43 drmserver
44 inputflinger
45 mediacodec
46 mediadrmserver
47 mediaextractor
48 mediaserver
49 sdcardd
50 surfaceflinger
51}:debuggerd dump_backtrace;
Stephen Smalley45ba6652013-09-27 10:24:49 -0400[diff] [blame]52
53# Connect to system_server via /data/system/ndebugsocket.
54unix_socket_connect(debuggerd, system_ndebug, system_server)
Mark Salyzyn8ed750e2013-11-12 15:34:52 -0800[diff] [blame]55
Nick Kralevich116a20f2014-02-05 16:36:25 -0800[diff] [blame]56userdebug_or_eng(`
57 allow debuggerd input_device:dir r_dir_perms;
58 allow debuggerd input_device:chr_file rw_file_perms;
59')
60
Mark Salyzyn8ed750e2013-11-12 15:34:52 -0800[diff] [blame]61# logd access
62read_logd(debuggerd)
Stephen Smalleyba992492014-07-24 15:25:43 -0400[diff] [blame]63
64# Check SELinux permissions.
65selinux_check_access(debuggerd)
Jeff Vander Stoep7ef80732016-09-09 16:27:17 -0700[diff] [blame]66
67# Read /data/dalvik-cache.
68allow debuggerd dalvikcache_data_file:dir { search getattr };
69allow debuggerd dalvikcache_data_file:file r_file_perms;