1# dumpstate
2type dumpstate, domain, mlstrustedsubject;
3type dumpstate_exec, exec_type, file_type;
4
5net_domain(dumpstate)
6binder_use(dumpstate)
7wakelock_use(dumpstate)
8
9# Allow setting process priority, protect from OOM killer, and dropping
10# privileges by switching UID / GID
11allow dumpstate self:capability { setuid setgid sys_resource };
12
13# Allow dumpstate to scan through /proc/pid for all processes
14r_dir_file(dumpstate, domain)
15
16allow dumpstate self:capability {
17    # Send signals to processes
18    kill
19    # Run iptables
20    net_raw
21    net_admin
22};
23
24# Allow executing files on system, such as:
25#   /system/bin/toolbox
26#   /system/bin/logcat
27#   /system/bin/dumpsys
28allow dumpstate system_file:file execute_no_trans;
29not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
30allow dumpstate toolbox_exec:file rx_file_perms;
31
32# Create and write into /data/anr/
33allow dumpstate self:capability { dac_override chown fowner fsetid };
34allow dumpstate anr_data_file:dir rw_dir_perms;
35allow dumpstate anr_data_file:file create_file_perms;
36
37# Allow reading /data/system/uiderrors.txt
38# TODO: scope this down.
39allow dumpstate system_data_file:file r_file_perms;
40
41# Read dmesg
42allow dumpstate self:capability2 syslog;
43allow dumpstate kernel:system syslog_read;
44
45# Read /sys/fs/pstore/console-ramoops
46allow dumpstate pstorefs:dir r_dir_perms;
47allow dumpstate pstorefs:file r_file_perms;
48
49# Get process attributes
50allow dumpstate domain:process getattr;
51
52# Signal java processes to dump their stack
53allow dumpstate { appdomain system_server }:process signal;
54
55# Signal native processes to dump their stack.
56allow dumpstate {
57  # This list comes from native_processes_to_dump in dumpstate/utils.c
58  audioserver
59  cameraserver
60  drmserver
61  inputflinger
62  mediadrmserver
63  mediaextractor
64  mediaserver
65  sdcardd
66  surfaceflinger
67
68  # This list comes from hal_interfaces_to_dump in dumpstate/utils.c
69  hal_audio_server
70  hal_bluetooth_server
71  hal_camera_server
72  hal_graphics_composer_server
73  hal_vr_server
74  mediacodec # TODO(b/36375899): hal_omx_server
75}:process signal;
76
77# Connect to tombstoned to intercept dumps.
78unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
79
80# TODO: added to match above sysfs rule. Remove me?
81allow dumpstate sysfs_usb:file w_file_perms;
82
83# Other random bits of data we want to collect
84allow dumpstate qtaguid_proc:file r_file_perms;
85allow dumpstate debugfs:file r_file_perms;
86# df for /storage/emulated needs search
87allow dumpstate { storage_file block_device }:dir { search getattr };
88allow dumpstate fuse_device:chr_file getattr;
89allow dumpstate { dm_device cache_block_device }:blk_file getattr;
90
91# Read /dev/cpuctl and /dev/cpuset
92r_dir_file(dumpstate, cgroup)
93
94# Allow dumpstate to make binder calls to any binder service
95binder_call(dumpstate, binderservicedomain)
96binder_call(dumpstate, { appdomain netd wificond })
97
98hal_client_domain(dumpstate, hal_dumpstate)
99hal_client_domain(dumpstate, hal_graphics_allocator)
100# Vibrate the device after we are done collecting the bugreport
101hal_client_domain(dumpstate, hal_vibrator)
102# For passthrough mode:
103allow dumpstate sysfs_vibrator:file { rw_file_perms getattr };
104
105# Reading /proc/PID/maps of other processes
106allow dumpstate self:capability sys_ptrace;
107
108# Allow the bugreport service to create a file in
109# /data/data/com.android.shell/files/bugreports/bugreport
110allow dumpstate shell_data_file:dir create_dir_perms;
111allow dumpstate shell_data_file:file create_file_perms;
112
113# Run a shell.
114allow dumpstate shell_exec:file rx_file_perms;
115
116# For running am and similar framework commands.
117# Run /system/bin/app_process.
118allow dumpstate zygote_exec:file rx_file_perms;
119# Dalvik Compiler JIT.
120allow dumpstate ashmem_device:chr_file execute;
121allow dumpstate self:process execmem;
122# For art.
123allow dumpstate dalvikcache_data_file:dir { search getattr };
124allow dumpstate dalvikcache_data_file:file { r_file_perms execute };
125allow dumpstate dalvikcache_data_file:lnk_file r_file_perms;
126
127# For Bluetooth
128allow dumpstate bluetooth_data_file:dir search;
129allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
130allow dumpstate bluetooth_logs_data_file:file r_file_perms;
131
132# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
133allow dumpstate gpu_device:chr_file rw_file_perms;
134
135# logd access
136read_logd(dumpstate)
137control_logd(dumpstate)
138read_runtime_log_tags(dumpstate)
139
140# Read /proc/net
141allow dumpstate proc_net:file r_file_perms;
142
143# Read network state info files.
144allow dumpstate net_data_file:dir search;
145allow dumpstate net_data_file:file r_file_perms;
146
147# List sockets via ss.
148allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
149
150# Access /data/tombstones.
151allow dumpstate tombstone_data_file:dir r_dir_perms;
152allow dumpstate tombstone_data_file:file r_file_perms;
153
154# Access /cache/recovery
155allow dumpstate cache_recovery_file:dir r_dir_perms;
156allow dumpstate cache_recovery_file:file r_file_perms;
157
158# Access /data/misc/recovery
159allow dumpstate recovery_data_file:dir r_dir_perms;
160allow dumpstate recovery_data_file:file r_file_perms;
161
162# Access /data/misc/profiles/{cur,ref}/
163userdebug_or_eng(`
164  allow dumpstate user_profile_data_file:dir r_dir_perms;
165  allow dumpstate user_profile_data_file:file r_file_perms;
166')
167
168# Access /data/misc/logd
169userdebug_or_eng(`
170  allow dumpstate misc_logd_file:dir r_dir_perms;
171  allow dumpstate misc_logd_file:file r_file_perms;
172')
173
174allow dumpstate { service_manager_type -gatekeeper_service -dumpstate_service -incident_service -virtual_touchpad_service -vr_hwc_service }:service_manager find;
175allow dumpstate servicemanager:service_manager list;
176allow dumpstate hwservicemanager:hwservice_manager list;
177
178allow dumpstate devpts:chr_file rw_file_perms;
179
180# Set properties.
181# dumpstate_prop is used to share state with the Shell app.
182set_prop(dumpstate, dumpstate_prop)
183# dumpstate_options_prop is used to pass extra command-line args.
184set_prop(dumpstate, dumpstate_options_prop)
185
186# Read device's serial number from system properties
187get_prop(dumpstate, serialno_prop)
188
189# Read state of logging-related properties
190get_prop(dumpstate, device_logging_prop)
191
192# Access to /data/media.
193# This should be removed if sdcardfs is modified to alter the secontext for its
194# accesses to the underlying FS.
195allow dumpstate media_rw_data_file:dir getattr;
196allow dumpstate proc_interrupts:file r_file_perms;
197allow dumpstate proc_zoneinfo:file r_file_perms;
198
199# Create a service for talking back to system_server
200add_service(dumpstate, dumpstate_service)
201
202###
203### neverallow rules
204###
205
206# dumpstate has capability sys_ptrace, but should only use that capability for
207# accessing sensitive /proc/PID files, never for using ptrace attach.
208neverallow dumpstate *:process ptrace;
209
210# only system_server, dumpstate and shell can find the dumpstate service
211neverallow { domain -system_server -shell -dumpstate } dumpstate_service:service_manager find;
212
213# Dumpstate should not be writing to any generically labeled sysfs files.
214# Create a specific label for the file type
215neverallow dumpstate sysfs:file no_w_file_perms;
216