b51c4dd39a
On 64 bit systems, all requests will first go to the 64 bit debuggerd which will redirect to the 32 bit debuggerd if necessary. This avoids any permissions problems where a java process needs to be able to read the elf data for executables. Instead the permissions are granted to debuggerd instead. Also remove the permissions to read the /system/bin executables from dumpstate since they aren't necessary any more. Bug: https://code.google.com/p/android/issues/detail?id=97024 Change-Id: I80ab1a177a110aa7381c2a4b516cfe71ef2a4808
122 lines
3.8 KiB
Plaintext
122 lines
3.8 KiB
Plaintext
# dumpstate
|
|
type dumpstate, domain, mlstrustedsubject;
|
|
type dumpstate_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(dumpstate)
|
|
net_domain(dumpstate)
|
|
binder_use(dumpstate)
|
|
|
|
# Drop privileges by switching UID / GID
|
|
allow dumpstate self:capability { setuid setgid };
|
|
|
|
# Allow dumpstate to scan through /proc/pid for all processes
|
|
r_dir_file(dumpstate, domain)
|
|
|
|
# Send signals to processes
|
|
allow dumpstate self:capability kill;
|
|
|
|
# Allow executing files on system, such as:
|
|
# /system/bin/toolbox
|
|
# /system/bin/logcat
|
|
# /system/bin/dumpsys
|
|
allow dumpstate system_file:file execute_no_trans;
|
|
|
|
# Create and write into /data/anr/
|
|
allow dumpstate self:capability { dac_override chown fowner fsetid };
|
|
allow dumpstate anr_data_file:dir { rw_dir_perms relabelto };
|
|
allow dumpstate anr_data_file:file create_file_perms;
|
|
allow dumpstate system_data_file:dir { create_dir_perms relabelfrom };
|
|
|
|
# Allow reading /data/system/uiderrors.txt
|
|
# TODO: scope this down.
|
|
allow dumpstate system_data_file:file r_file_perms;
|
|
|
|
# Read dmesg
|
|
allow dumpstate self:capability2 syslog;
|
|
allow dumpstate kernel:system syslog_read;
|
|
|
|
# Read /sys/fs/pstore/console-ramoops
|
|
allow dumpstate pstorefs:dir r_dir_perms;
|
|
allow dumpstate pstorefs:file r_file_perms;
|
|
|
|
# Get process attributes
|
|
allow dumpstate domain:process getattr;
|
|
|
|
# Signal java processes to dump their stack
|
|
allow dumpstate { appdomain system_server }:process signal;
|
|
|
|
# Signal native processes to dump their stack.
|
|
# This list comes from native_processes_to_dump in dumpstate/utils.c
|
|
allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal;
|
|
# Ask debuggerd for the backtraces of these processes.
|
|
allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:debuggerd dump_backtrace;
|
|
|
|
# Execute and transition to the vdc domain
|
|
domain_auto_trans(dumpstate, vdc_exec, vdc)
|
|
|
|
# Vibrate the device after we're done collecting the bugreport
|
|
# /sys/class/timed_output/vibrator/enable
|
|
# TODO: create a new file class, instead of allowing write access to all of /sys
|
|
allow dumpstate sysfs:file w_file_perms;
|
|
|
|
# Other random bits of data we want to collect
|
|
allow dumpstate proc_net:dir search;
|
|
allow dumpstate qtaguid_proc:file r_file_perms;
|
|
allow dumpstate debugfs:file r_file_perms;
|
|
|
|
# Allow dumpstate to make binder calls to any binder service
|
|
binder_call(dumpstate, binderservicedomain)
|
|
binder_call(dumpstate, appdomain)
|
|
|
|
# Reading /proc/PID/maps of other processes
|
|
allow dumpstate self:capability sys_ptrace;
|
|
|
|
# Allow the bugreport service to create a file in
|
|
# /data/data/com.android.shell/files/bugreports/bugreport
|
|
allow dumpstate shell_data_file:dir create_dir_perms;
|
|
allow dumpstate shell_data_file:file create_file_perms;
|
|
|
|
# Run a shell.
|
|
allow dumpstate shell_exec:file rx_file_perms;
|
|
|
|
# For running am and similar framework commands.
|
|
# Run /system/bin/app_process.
|
|
allow dumpstate zygote_exec:file rx_file_perms;
|
|
# Dalvik Compiler JIT.
|
|
allow dumpstate ashmem_device:chr_file execute;
|
|
allow dumpstate dumpstate_tmpfs:file execute;
|
|
allow dumpstate self:process execmem;
|
|
# For art.
|
|
allow dumpstate dalvikcache_data_file:file execute;
|
|
|
|
# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
|
|
allow dumpstate gpu_device:chr_file rw_file_perms;
|
|
|
|
# logd access
|
|
read_logd(dumpstate)
|
|
control_logd(dumpstate)
|
|
|
|
# Read network state info files.
|
|
allow dumpstate net_data_file:dir search;
|
|
allow dumpstate net_data_file:file r_file_perms;
|
|
|
|
# Access /data/tombstones.
|
|
allow dumpstate tombstone_data_file:dir r_dir_perms;
|
|
allow dumpstate tombstone_data_file:file r_file_perms;
|
|
|
|
allow dumpstate {
|
|
drmserver_service
|
|
healthd_service
|
|
inputflinger_service
|
|
keystore_service
|
|
mediaserver_service
|
|
nfc_service
|
|
radio_service
|
|
surfaceflinger_service
|
|
system_app_service
|
|
system_server_service
|
|
tmp_system_server_service
|
|
}:service_manager find;
|
|
|
|
allow dumpstate servicemanager:service_manager list;
|