1# dumpstate
2type dumpstate, domain, mlstrustedsubject;
3type dumpstate_exec, exec_type, file_type;
4
5net_domain(dumpstate)
6binder_use(dumpstate)
7wakelock_use(dumpstate)
8
9# Allow setting process priority, protect from OOM killer, and dropping
10# privileges by switching UID / GID
11allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
12
13# Allow dumpstate to scan through /proc/pid for all processes
14r_dir_file(dumpstate, domain)
15
16allow dumpstate self:global_capability_class_set {
17    # Send signals to processes
18    kill
19    # Run iptables
20    net_raw
21    net_admin
22};
23
24# Allow executing files on system, such as:
25#   /system/bin/toolbox
26#   /system/bin/logcat
27#   /system/bin/dumpsys
28allow dumpstate system_file:file execute_no_trans;
29not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
30allow dumpstate toolbox_exec:file rx_file_perms;
31
32# hidl searches for files in /system/lib(64)/hw/
33allow dumpstate system_file:dir r_dir_perms;
34
35# Create and write into /data/anr/
36allow dumpstate self:global_capability_class_set { dac_override chown fowner fsetid };
37allow dumpstate anr_data_file:dir rw_dir_perms;
38allow dumpstate anr_data_file:file create_file_perms;
39
40# Allow reading /data/system/uiderrors.txt
41# TODO: scope this down.
42allow dumpstate system_data_file:file r_file_perms;
43
44# Read dmesg
45allow dumpstate self:global_capability2_class_set syslog;
46allow dumpstate kernel:system syslog_read;
47
48# Read /sys/fs/pstore/console-ramoops
49allow dumpstate pstorefs:dir r_dir_perms;
50allow dumpstate pstorefs:file r_file_perms;
51
52# Get process attributes
53allow dumpstate domain:process getattr;
54
55# Signal java processes to dump their stack
56allow dumpstate { appdomain system_server }:process signal;
57
58# Signal native processes to dump their stack.
59allow dumpstate {
60  # This list comes from native_processes_to_dump in dumputils/dump_utils.c
61  audioserver
62  cameraserver
63  drmserver
64  inputflinger
65  mediadrmserver
66  mediaextractor
67  mediametrics
68  mediaserver
69  sdcardd
70  surfaceflinger
71
72  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
73  hal_audio_server
74  hal_bluetooth_server
75  hal_camera_server
76  hal_drm_server
77  hal_graphics_composer_server
78  hal_sensors_server
79  hal_vr_server
80  mediacodec # TODO(b/36375899): hal_omx_server
81}:process signal;
82
83# Connect to tombstoned to intercept dumps.
84unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
85
86# Access to /sys
87allow dumpstate sysfs_type:dir r_dir_perms;
88
89allow dumpstate {
90  sysfs_dm
91  sysfs_usb
92  sysfs_zram
93}:file r_file_perms;
94
95# Other random bits of data we want to collect
96allow dumpstate qtaguid_proc:file r_file_perms;
97allow dumpstate debugfs:file r_file_perms;
98
99# df for
100allow dumpstate {
101  block_device
102  cache_file
103  metadata_file
104  rootfs
105  selinuxfs
106  storage_file
107  tmpfs
108}:dir { search getattr };
109allow dumpstate fuse_device:chr_file getattr;
110allow dumpstate { dm_device cache_block_device }:blk_file getattr;
111allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
112
113# Read /dev/cpuctl and /dev/cpuset
114r_dir_file(dumpstate, cgroup)
115
116# Allow dumpstate to make binder calls to any binder service
117binder_call(dumpstate, binderservicedomain)
118binder_call(dumpstate, { appdomain netd wificond })
119
120hal_client_domain(dumpstate, hal_dumpstate)
121hal_client_domain(dumpstate, hal_graphics_allocator)
122# Vibrate the device after we are done collecting the bugreport
123hal_client_domain(dumpstate, hal_vibrator)
124
125# Reading /proc/PID/maps of other processes
126allow dumpstate self:global_capability_class_set sys_ptrace;
127
128# Allow the bugreport service to create a file in
129# /data/data/com.android.shell/files/bugreports/bugreport
130allow dumpstate shell_data_file:dir create_dir_perms;
131allow dumpstate shell_data_file:file create_file_perms;
132
133# Run a shell.
134allow dumpstate shell_exec:file rx_file_perms;
135
136# For running am and similar framework commands.
137# Run /system/bin/app_process.
138allow dumpstate zygote_exec:file rx_file_perms;
139# Dalvik Compiler JIT.
140allow dumpstate ashmem_device:chr_file execute;
141allow dumpstate self:process execmem;
142# For art.
143allow dumpstate dalvikcache_data_file:dir { search getattr };
144allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
145allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
146
147# For Bluetooth
148allow dumpstate bluetooth_data_file:dir search;
149allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
150allow dumpstate bluetooth_logs_data_file:file r_file_perms;
151
152# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
153allow dumpstate gpu_device:chr_file rw_file_perms;
154
155# logd access
156read_logd(dumpstate)
157control_logd(dumpstate)
158read_runtime_log_tags(dumpstate)
159
160# Read files in /proc
161allow dumpstate {
162  proc_buddyinfo
163  proc_cmdline
164  proc_meminfo
165  proc_modules
166  proc_net
167  proc_pipe_conf
168  proc_pagetypeinfo
169  proc_qtaguid_stat
170  proc_version
171  proc_vmallocinfo
172  proc_vmstat
173}:file r_file_perms;
174
175# Read network state info files.
176allow dumpstate net_data_file:dir search;
177allow dumpstate net_data_file:file r_file_perms;
178
179# List sockets via ss.
180allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
181
182# Access /data/tombstones.
183allow dumpstate tombstone_data_file:dir r_dir_perms;
184allow dumpstate tombstone_data_file:file r_file_perms;
185
186# Access /cache/recovery
187allow dumpstate cache_recovery_file:dir r_dir_perms;
188allow dumpstate cache_recovery_file:file r_file_perms;
189
190# Access /data/misc/recovery
191allow dumpstate recovery_data_file:dir r_dir_perms;
192allow dumpstate recovery_data_file:file r_file_perms;
193
194#Access /data/misc/update_engine_log
195allow dumpstate update_engine_log_data_file:dir r_dir_perms;
196allow dumpstate update_engine_log_data_file:file r_file_perms;
197
198# Access /data/misc/profiles/{cur,ref}/
199userdebug_or_eng(`
200  allow dumpstate user_profile_data_file:dir r_dir_perms;
201  allow dumpstate user_profile_data_file:file r_file_perms;
202')
203
204# Access /data/misc/logd
205userdebug_or_eng(`
206  allow dumpstate misc_logd_file:dir r_dir_perms;
207  allow dumpstate misc_logd_file:file r_file_perms;
208')
209
210allow dumpstate {
211  service_manager_type
212  -dumpstate_service
213  -gatekeeper_service
214  -incident_service
215  -virtual_touchpad_service
216  -vold_service
217  -vr_hwc_service
218}:service_manager find;
219# suppress denials for services dumpstate should not be accessing.
220dontaudit dumpstate {
221  dumpstate_service
222  gatekeeper_service
223  incident_service
224  virtual_touchpad_service
225  vold_service
226  vr_hwc_service
227}:service_manager find;
228
229allow dumpstate servicemanager:service_manager list;
230allow dumpstate hwservicemanager:hwservice_manager list;
231
232allow dumpstate devpts:chr_file rw_file_perms;
233
234# Set properties.
235# dumpstate_prop is used to share state with the Shell app.
236set_prop(dumpstate, dumpstate_prop)
237set_prop(dumpstate, exported_dumpstate_prop)
238# dumpstate_options_prop is used to pass extra command-line args.
239set_prop(dumpstate, dumpstate_options_prop)
240
241# Read any system properties
242get_prop(dumpstate, property_type)
243
244# Access to /data/media.
245# This should be removed if sdcardfs is modified to alter the secontext for its
246# accesses to the underlying FS.
247allow dumpstate media_rw_data_file:dir getattr;
248allow dumpstate proc_interrupts:file r_file_perms;
249allow dumpstate proc_zoneinfo:file r_file_perms;
250
251# Create a service for talking back to system_server
252add_service(dumpstate, dumpstate_service)
253
254# use /dev/ion for screen capture
255allow dumpstate ion_device:chr_file r_file_perms;
256
257# Allow dumpstate to run top
258allow dumpstate proc_stat:file r_file_perms;
259
260# Allow dumpstate to talk to installd over binder
261binder_call(dumpstate, installd);
262
263# Allow dumpstate to run ip xfrm policy
264allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
265
266# Allow dumpstate to run iotop
267allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
268# newer kernels (e.g. 4.4) have a new class for sockets
269allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
270
271# Allow dumpstate to kill vendor dumpstate service by init
272set_prop(dumpstate, ctl_dumpstate_prop)
273
274###
275### neverallow rules
276###
277
278# dumpstate has capability sys_ptrace, but should only use that capability for
279# accessing sensitive /proc/PID files, never for using ptrace attach.
280neverallow dumpstate *:process ptrace;
281
282# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
283neverallow {
284  domain
285  -system_server
286  -shell
287  -traceur_app
288  -dumpstate
289} dumpstate_service:service_manager find;
290