type crash_dump, domain; type crash_dump_exec, system_file_type, exec_type, file_type; # crash_dump might inherit CAP_SYS_PTRACE from a privileged process, # which will result in an audit log even when it's allowed to trace. dontaudit crash_dump self:global_capability_class_set { sys_ptrace }; userdebug_or_eng(` allow crash_dump logd:process { ptrace signal sigchld sigstop sigkill }; # Let crash_dump write to /dev/kmsg_debug crashes that happen before logd comes up. allow crash_dump kmsg_debug_device:chr_file { open append }; ') # Use inherited file descriptors allow crash_dump domain:fd use; # Read/write IPC pipes inherited from crashing processes. allow crash_dump domain:fifo_file { read write }; # Append to pipes given to us by processes requesting dumps (e.g. dumpstate) allow crash_dump domain:fifo_file { append }; r_dir_file(crash_dump, domain) allow crash_dump exec_type:file r_file_perms; # Read /data/dalvik-cache. allow crash_dump dalvikcache_data_file:dir { search getattr }; allow crash_dump dalvikcache_data_file:file r_file_perms; # Read APK files. r_dir_file(crash_dump, apk_data_file); # Read all /vendor r_dir_file(crash_dump, { vendor_file same_process_hal_file }) # Talk to tombstoned unix_socket_connect(crash_dump, tombstoned_crash, tombstoned) # Talk to ActivityManager. unix_socket_connect(crash_dump, system_ndebug, system_server) # Append to ANR files. allow crash_dump anr_data_file:file { append getattr }; # Append to tombstone files. allow crash_dump tombstone_data_file:file { append getattr }; # crash_dump writes out logcat logs at the bottom of tombstones, # which is super useful in some cases. unix_socket_connect(crash_dump, logdr, logd) # Crash dump is not intended to access the following files. Since these # are WAI, suppress the denials to clean up the logs. dontaudit crash_dump { core_data_file_type vendor_file_type }:dir search; dontaudit crash_dump system_data_file:file read; dontaudit crash_dump property_type:file read; ### ### neverallow assertions ### # A domain transition must occur for crash_dump to get the privileges needed to trace the process. # Do not allow the execution of crash_dump without a domain transition. neverallow domain crash_dump_exec:file execute_no_trans;