Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e79c506fe47d48dfe29a3aecda645eeebf73fd4f / . / private / crash_dump.te
blob: 31f01284becb79c5d3d61dd3db7b8286a0c80356 [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]1typeattribute crash_dump coredomain;
Jeff Vander Stoep08aa7152018-06-13 22:10:37 -0700[diff] [blame]2
Jeff Vander Stoep1795d0b2019-03-13 20:50:25 -0700[diff] [blame]3# Crash dump does not need to access devices passed across exec().
Jeff Vander Stoep60bb29f2019-03-18 10:29:27 -0700[diff] [blame]4dontaudit crash_dump { devpts dev_type }:chr_file { read write };
Jeff Vander Stoep504a6542019-02-15 10:29:38 -0800[diff] [blame]5
Jeff Vander Stoep08aa7152018-06-13 22:10:37 -0700[diff] [blame]6allow crash_dump {
7 domain
Martijn Coenenac097ac2018-08-17 09:35:42 +0200[diff] [blame]8 -apexd
Jeff Vander Stoep08aa7152018-06-13 22:10:37 -0700[diff] [blame]9 -bpfloader
10 -crash_dump
David Brazdil28b34f12022-07-01 15:36:59 +0100[diff] [blame]11 -crosvm # TODO(b/236672526): Remove exception for crosvm
Janis Danisevskis2b6c6062021-11-09 17:49:02 -0800[diff] [blame]12 -diced
Jeff Vander Stoep08aa7152018-06-13 22:10:37 -0700[diff] [blame]13 -init
14 -kernel
15 -keystore
Mark Salyzyn275ea122018-08-07 16:03:47 -0700[diff] [blame]16 -llkd
Jeff Vander Stoep08aa7152018-06-13 22:10:37 -0700[diff] [blame]17 -logd
18 -ueventd
19 -vendor_init
20 -vold
21}:process { ptrace signal sigchld sigstop sigkill };
Max Biresf0939162021-04-30 11:08:07 -0700[diff] [blame]22
Mark Salyzyn275ea122018-08-07 16:03:47 -0700[diff] [blame]23userdebug_or_eng(`
Max Biresf0939162021-04-30 11:08:07 -0700[diff] [blame]24 allow crash_dump {
25 apexd
26 keystore
27 llkd
28 logd
29 vold
30 }:process { ptrace signal sigchld sigstop sigkill };
Mark Salyzyn275ea122018-08-07 16:03:47 -0700[diff] [blame]31')
Jeff Vander Stoep08aa7152018-06-13 22:10:37 -0700[diff] [blame]32
Nick Kralevich095fbea2018-09-13 11:07:14 -0700[diff] [blame]33###
34### neverallow assertions
35###
36
37# ptrace neverallow assertions are spread throughout the other policy
38# files, so we avoid adding redundant assertions here
39
Jeff Vander Stoep08aa7152018-06-13 22:10:37 -0700[diff] [blame]40neverallow crash_dump {
Andreas Gampeefece542019-03-05 08:36:36 -0800[diff] [blame]41 apexd
42 userdebug_or_eng(`-apexd')
Jeff Vander Stoep08aa7152018-06-13 22:10:37 -0700[diff] [blame]43 bpfloader
Janis Danisevskis2b6c6062021-11-09 17:49:02 -0800[diff] [blame]44 diced
Jeff Vander Stoep08aa7152018-06-13 22:10:37 -0700[diff] [blame]45 init
46 kernel
47 keystore
Max Biresf0939162021-04-30 11:08:07 -0700[diff] [blame]48 userdebug_or_eng(`-keystore')
Mark Salyzyn275ea122018-08-07 16:03:47 -0700[diff] [blame]49 llkd
50 userdebug_or_eng(`-llkd')
Jeff Vander Stoep08aa7152018-06-13 22:10:37 -0700[diff] [blame]51 logd
52 userdebug_or_eng(`-logd')
53 ueventd
54 vendor_init
55 vold
Jeff Sharkeyd1018962019-02-05 14:39:02 -0700[diff] [blame]56 userdebug_or_eng(`-vold')
Nick Kralevich095fbea2018-09-13 11:07:14 -0700[diff] [blame]57}:process { signal sigstop sigkill };
Alan Stokesb9cb73a2018-09-03 17:27:54 +0100[diff] [blame]58
59neverallow crash_dump self:process ptrace;
Jeff Vander Stoep504a6542019-02-15 10:29:38 -0800[diff] [blame]60neverallow crash_dump gpu_device:chr_file *;
Orion Hodson8f75f762020-10-16 15:29:55 +0100[diff] [blame]61
62# Read ART APEX data directory
63allow crash_dump apex_art_data_file:dir { getattr search };
64allow crash_dump apex_art_data_file:file r_file_perms;