1# debugger interface 2type debuggerd, domain, domain_deprecated; 3type debuggerd_exec, exec_type, file_type; 4 5init_daemon_domain(debuggerd) 6typeattribute debuggerd mlstrustedsubject; 7allow debuggerd self:capability { dac_override sys_ptrace chown kill fowner setuid setgid }; 8allow debuggerd self:capability2 { syslog }; 9allow debuggerd domain:dir r_dir_perms; 10allow debuggerd domain:file r_file_perms; 11allow debuggerd domain:lnk_file read; 12allow debuggerd { 13 domain 14 -adbd 15 -debuggerd 16 -healthd 17 -init 18 -keystore 19 -ueventd 20 -watchdogd 21}:process { ptrace getattr }; 22security_access_policy(debuggerd) 23allow debuggerd tombstone_data_file:dir rw_dir_perms; 24allow debuggerd tombstone_data_file:file create_file_perms; 25allow debuggerd shared_relro_file:dir r_dir_perms; 26allow debuggerd shared_relro_file:file r_file_perms; 27allow debuggerd domain:process { sigstop sigkill signal }; 28allow debuggerd exec_type:file r_file_perms; 29# Access app library 30allow debuggerd system_data_file:file open; 31# Allow debuggerd to redirect a dump_backtrace request to itself. 32# This only happens on 64 bit systems, where all requests go to the 64 bit 33# debuggerd and get redirected to the 32 bit debuggerd if the process is 32 bit. 34 35allow debuggerd { 36 audioserver 37 bluetooth 38 cameraserver 39 drmserver 40 inputflinger 41 mediacodec 42 mediadrmserver 43 mediaextractor 44 mediaserver 45 sdcardd 46 surfaceflinger 47}:debuggerd dump_backtrace; 48 49# Connect to system_server via /data/system/ndebugsocket. 50unix_socket_connect(debuggerd, system_ndebug, system_server) 51 52userdebug_or_eng(` 53 allow debuggerd input_device:dir r_dir_perms; 54 allow debuggerd input_device:chr_file rw_file_perms; 55') 56 57# logd access 58read_logd(debuggerd) 59 60# Check SELinux permissions. 61selinux_check_access(debuggerd) 62