Nick Kralevich | 09e6abd | 2013-12-13 22:19:45 -0800 | [diff] [blame^] | 1 | # dumpstate |
| 2 | type dumpstate, domain; |
| 3 | permissive dumpstate; |
| 4 | type dumpstate_exec, exec_type, file_type; |
| 5 | |
| 6 | init_daemon_domain(dumpstate) |
| 7 | net_domain(dumpstate) |
| 8 | relabelto_domain(dumpstate) |
| 9 | binder_use(dumpstate) |
| 10 | |
| 11 | # Drop privileges by switching UID / GID |
| 12 | allow dumpstate self:capability { setuid setgid }; |
| 13 | |
| 14 | # Allow dumpstate to scan through /proc/pid for all processes |
| 15 | r_dir_file(dumpstate, domain) |
| 16 | |
| 17 | # Send signals to processes |
| 18 | allow dumpstate self:capability kill; |
| 19 | |
| 20 | # Allow executing files on system, such as: |
| 21 | # /system/bin/toolbox |
| 22 | # /system/bin/logcat |
| 23 | # /system/bin/dumpsys |
| 24 | allow dumpstate system_file:file execute_no_trans; |
| 25 | |
| 26 | # Create and write into /data/anr/ |
| 27 | allow dumpstate self:capability { dac_override chown fowner fsetid }; |
| 28 | allow dumpstate anr_data_file:dir { rw_dir_perms relabelto }; |
| 29 | allow dumpstate anr_data_file:file create_file_perms; |
| 30 | allow dumpstate system_data_file:dir { create_dir_perms relabelfrom }; |
| 31 | |
| 32 | # Allow reading /data/system/uiderrors.txt |
| 33 | # TODO: scope this down. |
| 34 | allow dumpstate system_data_file:file r_file_perms; |
| 35 | |
| 36 | # Read dmesg |
| 37 | allow dumpstate self:capability2 syslog; |
| 38 | allow dumpstate kernel:system syslog_read; |
| 39 | |
| 40 | # Get process attributes |
| 41 | allow dumpstate domain:process getattr; |
| 42 | |
| 43 | # Signal java processes to dump their stack |
| 44 | allow dumpstate { appdomain system_server }:process signal; |
| 45 | |
| 46 | # Signal native processes to dump their stack. |
| 47 | # This list comes from native_processes_to_dump in dumpstate/utils.c |
| 48 | allow dumpstate { drmserver mediaserver sdcardd surfaceflinger }:process signal; |
| 49 | |
| 50 | # The /system/bin/ip command needs this for routing table information. |
| 51 | allow dumpstate self:netlink_route_socket { write getattr setopt }; |
| 52 | |
| 53 | # The vdc command needs to talk to the vold socket. |
| 54 | unix_socket_connect(dumpstate, vold, vold) |
| 55 | |
| 56 | # Vibrate the device after we're done collecting the bugreport |
| 57 | # /sys/class/timed_output/vibrator/enable |
| 58 | # TODO: create a new file class, instead of allowing write access to all of /sys |
| 59 | allow dumpstate sysfs:file w_file_perms; |
| 60 | |
| 61 | # Other random bits of data we want to collect |
| 62 | allow dumpstate qtaguid_proc:file r_file_perms; |
| 63 | allow dumpstate debugfs:file r_file_perms; |
| 64 | |
| 65 | # Allow dumpstate to make binder calls to any binder service |
| 66 | binder_call(dumpstate, binderservicedomain) |
| 67 | binder_call(dumpstate, appdomain) |
| 68 | |
| 69 | # Reading /proc/PID/maps of other processes |
| 70 | allow dumpstate self:capability sys_ptrace; |