1# dumpstate
2type dumpstate, domain, domain_deprecated, mlstrustedsubject;
3type dumpstate_exec, exec_type, file_type;
4
5init_daemon_domain(dumpstate)
6net_domain(dumpstate)
7binder_use(dumpstate)
8
9# Allow setting process priority, protect from OOM killer, and dropping
10# privileges by switching UID / GID
11allow dumpstate self:capability { setuid setgid sys_resource };
12
13# Allow dumpstate to scan through /proc/pid for all processes
14r_dir_file(dumpstate, domain)
15
16allow dumpstate self:capability {
17    # Send signals to processes
18    kill
19    # Run iptables
20    net_raw
21    net_admin
22};
23
24# Allow executing files on system, such as:
25#   /system/bin/toolbox
26#   /system/bin/logcat
27#   /system/bin/dumpsys
28allow dumpstate system_file:file execute_no_trans;
29allow dumpstate toolbox_exec:file rx_file_perms;
30
31# Create and write into /data/anr/
32allow dumpstate self:capability { dac_override chown fowner fsetid };
33allow dumpstate anr_data_file:dir rw_dir_perms;
34allow dumpstate anr_data_file:file create_file_perms;
35
36# Allow reading /data/system/uiderrors.txt
37# TODO: scope this down.
38allow dumpstate system_data_file:file r_file_perms;
39
40# Read dmesg
41allow dumpstate self:capability2 syslog;
42allow dumpstate kernel:system syslog_read;
43
44# Read /sys/fs/pstore/console-ramoops
45allow dumpstate pstorefs:dir r_dir_perms;
46allow dumpstate pstorefs:file r_file_perms;
47
48# Get process attributes
49allow dumpstate domain:process getattr;
50
51# Signal java processes to dump their stack
52allow dumpstate { appdomain autoplay_app system_server }:process signal;
53
54# Signal native processes to dump their stack.
55# This list comes from native_processes_to_dump in dumpstate/utils.c
56allow dumpstate {
57  audioserver
58  cameraserver
59  drmserver
60  inputflinger
61  mediacodec
62  mediadrmserver
63  mediaextractor
64  mediaserver
65  sdcardd
66  surfaceflinger
67}:process signal;
68# Ask debuggerd for the backtraces of these processes.
69allow dumpstate {
70  audioserver
71  cameraserver
72  drmserver
73  inputflinger
74  mediacodec
75  mediadrmserver
76  mediaextractor
77  mediaserver
78  sdcardd
79  surfaceflinger
80}:debuggerd dump_backtrace;
81
82# Execute and transition to the vdc domain
83domain_auto_trans(dumpstate, vdc_exec, vdc)
84
85# Vibrate the device after we're done collecting the bugreport
86# /sys/class/timed_output/vibrator/enable
87# TODO: create a new file class, instead of allowing write access to all of /sys
88allow dumpstate sysfs:file w_file_perms;
89
90# TODO: added to match above sysfs rule. Remove me?
91allow dumpstate sysfs_usb:file w_file_perms;
92
93# Other random bits of data we want to collect
94allow dumpstate qtaguid_proc:file r_file_perms;
95allow dumpstate debugfs:file r_file_perms;
96# df for /storage/emulated needs search
97allow dumpstate { storage_file block_device }:dir { search getattr };
98allow dumpstate fuse_device:chr_file getattr;
99allow dumpstate { dm_device cache_block_device }:blk_file getattr;
100
101# Allow dumpstate to make binder calls to any binder service
102binder_call(dumpstate, binderservicedomain)
103binder_call(dumpstate, { appdomain autoplay_app netd })
104
105
106# Reading /proc/PID/maps of other processes
107allow dumpstate self:capability sys_ptrace;
108
109# Allow the bugreport service to create a file in
110# /data/data/com.android.shell/files/bugreports/bugreport
111allow dumpstate shell_data_file:dir create_dir_perms;
112allow dumpstate shell_data_file:file create_file_perms;
113
114# Run a shell.
115allow dumpstate shell_exec:file rx_file_perms;
116
117# For running am and similar framework commands.
118# Run /system/bin/app_process.
119allow dumpstate zygote_exec:file rx_file_perms;
120# Dalvik Compiler JIT.
121allow dumpstate ashmem_device:chr_file execute;
122allow dumpstate dumpstate_tmpfs:file execute;
123allow dumpstate self:process execmem;
124# For art.
125allow dumpstate dalvikcache_data_file:file execute;
126allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
127
128# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
129allow dumpstate gpu_device:chr_file rw_file_perms;
130
131# logd access
132read_logd(dumpstate)
133control_logd(dumpstate)
134
135# Read network state info files.
136allow dumpstate net_data_file:dir search;
137allow dumpstate net_data_file:file r_file_perms;
138
139# Access /data/tombstones.
140allow dumpstate tombstone_data_file:dir r_dir_perms;
141allow dumpstate tombstone_data_file:file r_file_perms;
142
143# Access /cache/recovery
144allow dumpstate cache_recovery_file:dir r_dir_perms;
145allow dumpstate cache_recovery_file:file r_file_perms;
146
147# Access /data/misc/recovery
148allow dumpstate recovery_data_file:dir r_dir_perms;
149allow dumpstate recovery_data_file:file r_file_perms;
150
151# Access /data/misc/logd
152userdebug_or_eng(`
153  allow dumpstate misc_logd_file:dir r_dir_perms;
154  allow dumpstate misc_logd_file:file r_file_perms;
155')
156
157allow dumpstate { service_manager_type -gatekeeper_service }:service_manager find;
158allow dumpstate servicemanager:service_manager list;
159
160allow dumpstate devpts:chr_file rw_file_perms;
161
162# Set properties.
163# dumpstate_prop is used to share state with the Shell app.
164set_prop(dumpstate, dumpstate_prop)
165
166# systrace support - allow atrace to run
167allow dumpstate debugfs_tracing:dir r_dir_perms;
168allow dumpstate debugfs_tracing:file rw_file_perms;
169allow dumpstate debugfs_trace_marker:file getattr;
170allow dumpstate atrace_exec:file rx_file_perms;
171
172# Access to /data/media.
173# This should be removed if sdcardfs is modified to alter the secontext for its
174# accesses to the underlying FS.
175allow dumpstate media_rw_data_file:dir getattr;
176