1# Copyright (c) 2022-2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14################### 15## Macro define: ## 16################### 17define(`use_processdump', ` 18 allow $1 processdump_exec:file { execute getattr map open read }; 19') 20 21define(`processdump_cmd', ` 22 allow processdump $1:file { getattr map open read }; 23') 24 25######################## 26## processdump rules: ## 27######################## 28use_processdump({ domain -init -kernel }) 29processdump_cmd({ 30 app_el1_bundle_public 31 arkcompiler_param 32 ark_writeable_param 33 chip_prod_file 34 data_app_el1_file # remove later 35 data_file 36 data_service_el1_file 37 dev_parameters_file 38 domain 39 exec_attr 40 foundation 41 sys_prod_file 42 system_bin_file 43 system_file 44 system_lib_file 45 system_usr_file 46 vendor_bin_file 47 vendor_file 48 vendor_lib_file 49}) 50 51#============= domain ================= 52allow domain processdump:process { share sigchld }; 53allow domain self:fifo_file { write }; 54allow domain system_bin_file:dir { search }; 55allow processdump { domain -processdump -kernel }:process { ptrace sigstop }; 56allow processdump domain:fd use; 57allow processdump domain:fifo_file { read write }; 58allow processdump domain:dir { getattr open read search }; 59allow processdump domain:lnk_file { read }; 60 61#============= write event to hiview ========= 62allow processdump hiview:binder { call transfer }; 63allow processdump samgr:binder { call }; 64allow processdump hiview:unix_dgram_socket { sendto }; 65 66#============= for faultloggerd =========== 67allow processdump faultloggerd_temp_file:file { getattr open read write }; 68allow processdump faultloggerd:fd { use }; 69allow processdump faultloggerd:unix_stream_socket { connectto }; 70allow processdump faultloggerd_socket:sock_file write; 71 72#============= processdump ============== 73allow processdump processdump_exec:file { entrypoint }; 74allow processdump processdump:process { fork }; 75allow processdump processdump:dir { search }; 76allow processdump processdump:lnk_file { read }; 77allow processdump processdump:unix_dgram_socket { create connect write }; 78allow processdump processdump:unix_stream_socket { create setopt connect write read }; 79allow processdump data_local_arkcache:file { getattr open read map }; 80allow processdump data_local_arkcache:dir { search }; 81allow processdump data_local_tmp:file { getattr map open read }; 82 83developer_only(` 84allow processdump data_local_tmp:dir { search }; 85allow processdump data_local:dir { search }; 86') 87 88#============ hidumper ============== 89allow processdump hidumper_service:fifo_file ioctl; 90 91#============ normal_hap ================= 92allow processdump normal_hap_attr:dir { getattr open read search }; 93allow processdump normal_hap_attr:file { getattr open read }; 94allow processdump app_el1_bundle_public:dir search; 95allow processdump data_app_el1_file:dir search; # remove later 96 97#============ hap_domain ================ 98allow processdump hap_domain:lnk_file { read }; 99 100#============= for hdcd ================ 101allow processdump hdcd:fd use; 102allow processdump hdcd:fifo_file { read write }; 103allow processdump hdcd:file { getattr open read }; 104allow processdump hdcd:process ptrace; 105allow processdump hdcd:unix_stream_socket { read write }; 106 107#============= devpts && tty =========== 108allow processdump devpts:chr_file { read write }; 109allow processdump tty_device:chr_file { read write }; 110 111#============= init ================ 112allow processdump init:dir { getattr open read search }; 113allow processdump init:file { getattr open read }; 114allow processdump init:netlink_kobject_uevent_socket { read write }; 115allow processdump init:unix_dgram_socket { sendto }; 116allow processdump init:unix_stream_socket { read write connectto }; 117 118#============ foundation =========== 119allow processdump foundation:dir { getattr open read search }; 120allow processdump foundation:binder { call transfer }; 121allow processdump sa_foundation_abilityms:samgr_class { get }; 122 123#============ data_xxx ================== 124allow processdump data_file:dir search; 125allow processdump data_init_agent:file { append ioctl open read }; 126allow processdump data_init_agent:dir search; 127 128#============ dev_xxx =================== 129allow processdump dev_file:dir { search }; 130allow processdump dev_null_file:chr_file { read write }; 131allow processdump dev_parameters_file:dir { search }; 132allow processdump dev_unix_file:dir { search }; 133allow processdump dev_unix_socket:dir search; 134allow processdump dev_unix_socket:sock_file write; 135 136#============ sys_xxx ================= 137allow processdump sys_prod_file:dir { search }; 138 139#============ system_xxx ================= 140allow processdump system_bin_file:dir search; 141allow processdump system_etc_file:dir { getattr open read search }; 142allow processdump system_etc_file:file { getattr open read }; 143allow processdump system_file:dir { search }; 144allow processdump system_lib_file:dir { search }; 145allow processdump system_usr_file:dir { search }; 146 147#============ vendor_xxx ================= 148allow processdump vendor_file:dir { getattr open read search }; 149allow processdump vendor_bin_file:dir search; 150allow processdump vendor_lib_file:dir search; 151 152#============ proc_file & tmpfs & debugfs =================== 153allow processdump proc_file:dir { search }; 154allow processdump proc_file:lnk_file { read }; 155allow processdump tmpfs:dir { search }; 156allow processdump tmpfs:lnk_file { read }; 157allow processdump debugfs:dir { search }; 158 159#============ chip_prod_file =================== 160allow processdump chip_prod_file:dir { search }; 161 162############################ 163## neverallow assertions: ## 164############################ 165neverallow processdump self:process ptrace; 166neverallow domain processdump:process noatsecure; 167neverallow domain processdump_exec:file execute_no_trans; 168 169allow processdump hiviewdfx_hiview_param:file { map open read }; 170 171allow processdump dev_bbox:chr_file { ioctl open write }; 172allowxperm processdump dev_bbox:chr_file ioctl 0xab09; 173