1# dumpstate
2type dumpstate, domain, mlstrustedsubject;
3type dumpstate_exec, system_file_type, exec_type, file_type;
4
5net_domain(dumpstate)
6binder_use(dumpstate)
7wakelock_use(dumpstate)
8
9# Allow setting process priority, protect from OOM killer, and dropping
10# privileges by switching UID / GID
11allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
12
13# Allow dumpstate to scan through /proc/pid for all processes
14r_dir_file(dumpstate, domain)
15
16allow dumpstate self:global_capability_class_set {
17    # Send signals to processes
18    kill
19    # Run iptables
20    net_raw
21    net_admin
22};
23
24# Allow executing files on system, such as:
25#   /system/bin/toolbox
26#   /system/bin/logcat
27#   /system/bin/dumpsys
28allow dumpstate system_file:file execute_no_trans;
29not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
30allow dumpstate toolbox_exec:file rx_file_perms;
31
32# hidl searches for files in /system/lib(64)/hw/
33allow dumpstate system_file:dir r_dir_perms;
34
35# Create and write into /data/anr/
36allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
37allow dumpstate anr_data_file:dir rw_dir_perms;
38allow dumpstate anr_data_file:file create_file_perms;
39
40# Allow reading /data/system/uiderrors.txt
41# TODO: scope this down.
42allow dumpstate system_data_file:file r_file_perms;
43
44# Allow dumpstate to append into apps' private files.
45allow dumpstate { privapp_data_file app_data_file }:file append;
46
47# Read dmesg
48allow dumpstate self:global_capability2_class_set syslog;
49allow dumpstate kernel:system syslog_read;
50
51# Read /sys/fs/pstore/console-ramoops
52allow dumpstate pstorefs:dir r_dir_perms;
53allow dumpstate pstorefs:file r_file_perms;
54
55# Get process attributes
56allow dumpstate domain:process getattr;
57
58# Signal java processes to dump their stack
59allow dumpstate { appdomain system_server zygote }:process signal;
60
61# Signal native processes to dump their stack.
62allow dumpstate {
63  # This list comes from native_processes_to_dump in dumputils/dump_utils.c
64  audioserver
65  cameraserver
66  drmserver
67  inputflinger
68  mediadrmserver
69  mediaextractor
70  mediametrics
71  mediaserver
72  mediaswcodec
73  sdcardd
74  surfaceflinger
75  vold
76
77  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
78  hal_audio_server
79  hal_audiocontrol_server
80  hal_bluetooth_server
81  hal_camera_server
82  hal_codec2_server
83  hal_drm_server
84  hal_evs_server
85  hal_face_server
86  hal_fingerprint_server
87  hal_graphics_allocator_server
88  hal_graphics_composer_server
89  hal_health_server
90  hal_neuralnetworks_server
91  hal_omx_server
92  hal_power_server
93  hal_power_stats_server
94  hal_sensors_server
95  hal_thermal_server
96  hal_vehicle_server
97  hal_vr_server
98  system_suspend_server
99}:process signal;
100
101# Connect to tombstoned to intercept dumps.
102unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
103
104# Access to /sys
105allow dumpstate sysfs_type:dir r_dir_perms;
106
107allow dumpstate {
108  sysfs_devices_block
109  sysfs_dm
110  sysfs_loop
111  sysfs_usb
112  sysfs_zram
113}:file r_file_perms;
114
115# Other random bits of data we want to collect
116no_debugfs_restriction(`
117  allow dumpstate debugfs:file r_file_perms;
118  auditallow dumpstate debugfs:file r_file_perms;
119
120  allow dumpstate debugfs_mmc:file r_file_perms;
121')
122
123# df for
124allow dumpstate {
125  block_device
126  cache_file
127  metadata_file
128  rootfs
129  selinuxfs
130  storage_file
131  tmpfs
132}:dir { search getattr };
133allow dumpstate fuse_device:chr_file getattr;
134allow dumpstate { dm_device cache_block_device }:blk_file getattr;
135allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
136
137# Read /dev/cpuctl and /dev/cpuset
138r_dir_file(dumpstate, cgroup)
139r_dir_file(dumpstate, cgroup_v2)
140
141# Allow dumpstate to make binder calls to any binder service
142binder_call(dumpstate, binderservicedomain)
143binder_call(dumpstate, { appdomain netd wificond })
144
145dump_hal(hal_dumpstate)
146dump_hal(hal_wifi)
147dump_hal(hal_graphics_allocator)
148dump_hal(hal_light)
149dump_hal(hal_neuralnetworks)
150dump_hal(hal_thermal)
151dump_hal(hal_power)
152dump_hal(hal_power_stats)
153dump_hal(hal_identity)
154dump_hal(hal_face)
155dump_hal(hal_fingerprint)
156dump_hal(hal_gnss)
157
158# Vibrate the device after we are done collecting the bugreport
159hal_client_domain(dumpstate, hal_vibrator)
160
161# Reading /proc/PID/maps of other processes
162allow dumpstate self:global_capability_class_set sys_ptrace;
163
164# Allow the bugreport service to create a file in
165# /data/data/com.android.shell/files/bugreports/bugreport
166allow dumpstate shell_data_file:dir create_dir_perms;
167allow dumpstate shell_data_file:file create_file_perms;
168
169# Run a shell.
170allow dumpstate shell_exec:file rx_file_perms;
171
172# For running am and similar framework commands.
173# Run /system/bin/app_process.
174allow dumpstate zygote_exec:file rx_file_perms;
175
176# For Bluetooth
177allow dumpstate bluetooth_data_file:dir search;
178allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
179allow dumpstate bluetooth_logs_data_file:file r_file_perms;
180
181# For Nfc
182allow dumpstate nfc_logs_data_file:dir r_dir_perms;
183allow dumpstate nfc_logs_data_file:file r_file_perms;
184
185# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
186allow dumpstate gpu_device:chr_file rw_file_perms;
187
188# logd access
189read_logd(dumpstate)
190control_logd(dumpstate)
191read_runtime_log_tags(dumpstate)
192
193# Read files in /proc
194allow dumpstate {
195  proc_buddyinfo
196  proc_cmdline
197  proc_meminfo
198  proc_modules
199  proc_net_type
200  proc_pipe_conf
201  proc_pagetypeinfo
202  proc_qtaguid_ctrl
203  proc_qtaguid_stat
204  proc_slabinfo
205  proc_version
206  proc_vmallocinfo
207  proc_vmstat
208}:file r_file_perms;
209
210# Read network state info files.
211allow dumpstate net_data_file:dir search;
212allow dumpstate net_data_file:file r_file_perms;
213
214# List sockets via ss.
215allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
216
217# Access /data/tombstones.
218allow dumpstate tombstone_data_file:dir r_dir_perms;
219allow dumpstate tombstone_data_file:file r_file_perms;
220
221# Access /cache/recovery
222allow dumpstate cache_recovery_file:dir r_dir_perms;
223allow dumpstate cache_recovery_file:file r_file_perms;
224
225# Access /data/misc/recovery
226allow dumpstate recovery_data_file:dir r_dir_perms;
227allow dumpstate recovery_data_file:file r_file_perms;
228
229#Access /data/misc/update_engine_log
230allow dumpstate update_engine_log_data_file:dir r_dir_perms;
231allow dumpstate update_engine_log_data_file:file r_file_perms;
232
233# Access /data/misc/profiles/{cur,ref}/
234userdebug_or_eng(`
235  allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
236  allow dumpstate user_profile_data_file:file r_file_perms;
237')
238
239# Access /data/misc/logd
240allow dumpstate misc_logd_file:dir r_dir_perms;
241allow dumpstate misc_logd_file:file r_file_perms;
242
243# Access /data/misc/prereboot
244allow dumpstate prereboot_data_file:dir r_dir_perms;
245allow dumpstate prereboot_data_file:file r_file_perms;
246
247allow dumpstate app_fuse_file:dir r_dir_perms;
248allow dumpstate overlayfs_file:dir r_dir_perms;
249
250allow dumpstate {
251  service_manager_type
252  -apex_service
253  -dumpstate_service
254  -gatekeeper_service
255  -virtual_touchpad_service
256  -vold_service
257  -vr_hwc_service
258  -default_android_service
259}:service_manager find;
260# suppress denials for services dumpstate should not be accessing.
261dontaudit dumpstate {
262  apex_service
263  dumpstate_service
264  gatekeeper_service
265  virtual_touchpad_service
266  vold_service
267  vr_hwc_service
268}:service_manager find;
269
270# Most of these are neverallowed.
271dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
272
273allow dumpstate servicemanager:service_manager list;
274allow dumpstate hwservicemanager:hwservice_manager list;
275
276allow dumpstate devpts:chr_file rw_file_perms;
277
278# Read any system properties
279get_prop(dumpstate, property_type)
280
281# Access to /data/media.
282# This should be removed if sdcardfs is modified to alter the secontext for its
283# accesses to the underlying FS.
284allow dumpstate media_rw_data_file:dir getattr;
285allow dumpstate proc_interrupts:file r_file_perms;
286allow dumpstate proc_zoneinfo:file r_file_perms;
287
288# Create a service for talking back to system_server
289add_service(dumpstate, dumpstate_service)
290
291# use /dev/ion for screen capture
292allow dumpstate ion_device:chr_file r_file_perms;
293
294# Allow dumpstate to run top
295allow dumpstate proc_stat:file r_file_perms;
296
297allow dumpstate proc_pressure_cpu:file r_file_perms;
298allow dumpstate proc_pressure_mem:file r_file_perms;
299allow dumpstate proc_pressure_io:file r_file_perms;
300
301# Allow dumpstate to run ps
302allow dumpstate proc_pid_max:file r_file_perms;
303
304# Allow dumpstate to talk to installd over binder
305binder_call(dumpstate, installd);
306
307# Allow dumpstate to talk to iorapd over binder.
308binder_call(dumpstate, iorapd)
309
310# Allow dumpstate to run ip xfrm policy
311allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
312
313# Allow dumpstate to run iotop
314allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
315# newer kernels (e.g. 4.4) have a new class for sockets
316allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
317
318# Allow dumpstate to run ss
319allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
320
321# Allow dumpstate to read linkerconfig directory
322allow dumpstate linkerconfig_file:dir { read open };
323
324# For when dumpstate runs df
325dontaudit dumpstate {
326  mnt_vendor_file
327  mirror_data_file
328  mnt_user_file
329}:dir search;
330dontaudit dumpstate {
331  apex_mnt_dir
332  linkerconfig_file
333  mirror_data_file
334  mnt_user_file
335}:dir getattr;
336
337# Allow dumpstate to talk to bufferhubd over binder
338binder_call(dumpstate, bufferhubd);
339
340# Allow dumpstate to talk to mediaswcodec over binder
341binder_call(dumpstate, mediaswcodec);
342
343# Allow dumpstate to talk to these stable AIDL services over binder
344binder_call(dumpstate, hal_rebootescrow_server)
345allow hal_rebootescrow_server dumpstate:fifo_file write;
346allow hal_rebootescrow_server dumpstate:fd use;
347
348binder_call(dumpstate, hal_authsecret_server)
349allow hal_authsecret_server dumpstate:fifo_file write;
350allow hal_authsecret_server dumpstate:fd use;
351
352binder_call(dumpstate, hal_keymint_server)
353allow hal_keymint_server dumpstate:fifo_file write;
354allow hal_keymint_server dumpstate:fd use;
355
356binder_call(dumpstate, hal_memtrack_server)
357allow hal_memtrack_server dumpstate:fifo_file write;
358allow hal_memtrack_server dumpstate:fd use;
359
360binder_call(dumpstate, hal_oemlock_server)
361allow hal_oemlock_server dumpstate:fifo_file write;
362allow hal_oemlock_server dumpstate:fd use;
363
364binder_call(dumpstate, hal_weaver_server)
365allow hal_weaver_server dumpstate:fifo_file write;
366allow hal_weaver_server dumpstate:fd use;
367
368#Access /data/misc/snapshotctl_log
369allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
370allow dumpstate snapshotctl_log_data_file:file r_file_perms;
371
372#Allow access to /dev/binderfs/binder_logs
373allow dumpstate binderfs_logs:dir r_dir_perms;
374allow dumpstate binderfs_logs:file r_file_perms;
375allow dumpstate binderfs_logs_proc:file r_file_perms;
376
377allow dumpstate apex_info_file:file getattr;
378
379###
380### neverallow rules
381###
382
383# dumpstate has capability sys_ptrace, but should only use that capability for
384# accessing sensitive /proc/PID files, never for using ptrace attach.
385neverallow dumpstate *:process ptrace;
386
387# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
388neverallow {
389  domain
390  -system_server
391  -shell
392  -traceur_app
393  -dumpstate
394} dumpstate_service:service_manager find;
395