1typeattribute dumpstate coredomain;
2type dumpstate_tmpfs, file_type;
3
4init_daemon_domain(dumpstate)
5
6# Execute and transition to the vdc domain
7domain_auto_trans(dumpstate, vdc_exec, vdc)
8
9# Create tmpfs files for using memfd descriptors to get output from child
10# processes.
11tmpfs_domain(dumpstate)
12
13# Acquire advisory lock on /system/etc/xtables.lock from ip[6]tables
14allow dumpstate system_file:file lock;
15
16allow dumpstate storaged_exec:file rx_file_perms;
17
18# /data/misc/a11ytrace for accessibility traces
19userdebug_or_eng(`
20  allow dumpstate accessibility_trace_data_file:dir r_dir_perms;
21  allow dumpstate accessibility_trace_data_file:file r_file_perms;
22')
23
24# /data/misc/wmtrace for wm traces
25userdebug_or_eng(`
26  allow dumpstate wm_trace_data_file:dir r_dir_perms;
27  allow dumpstate wm_trace_data_file:file r_file_perms;
28')
29
30# /data/system/dropbox for dropbox entries
31userdebug_or_eng(`
32  allow dumpstate dropbox_data_file:dir r_dir_perms;
33  allow dumpstate dropbox_data_file:file r_file_perms;
34')
35
36# Allow dumpstate to make binder calls to incidentd
37binder_call(dumpstate, incidentd)
38
39# Kill incident in case of a timeout
40allow dumpstate incident:process { signal sigkill };
41
42# Allow dumpstate to make binder calls to storaged service
43binder_call(dumpstate, storaged)
44
45# Allow dumpstate to make binder calls to statsd
46binder_call(dumpstate, statsd)
47
48# Allow dumpstate to talk to gpuservice over binder
49binder_call(dumpstate, gpuservice);
50
51# Allow dumpstate to talk to idmap over binder
52binder_call(dumpstate, idmap);
53
54# Allow dumpstate to talk to profcollectd over binder
55userdebug_or_eng(`
56  binder_call(dumpstate, profcollectd)
57')
58
59# Allow dumpstate to talk to automotive_display_service over binder
60binder_call(dumpstate, automotive_display_service)
61
62# Allow dumpstate to talk to virtual_camera service over binder
63binder_call(dumpstate, virtual_camera)
64
65# Allow dumpstate to talk to ot_daemon service over binder
66binder_call(dumpstate, ot_daemon)
67
68# Collect metrics on boot time created by init
69get_prop(dumpstate, boottime_prop)
70
71get_prop(dumpstate, misctrl_prop)
72
73# Signal native processes to dump their stack.
74allow dumpstate {
75  mediatranscoding
76  statsd
77  netd
78  virtual_camera
79  ot_daemon
80}:process signal;
81
82# Only allow dumpstate to dump Keystore on debuggable builds.
83userdebug_or_eng(`
84  allow dumpstate keystore:process signal;
85')
86dontaudit dumpstate keystore:process { signal };
87
88# For collecting bugreports.
89no_debugfs_restriction(`
90  allow dumpstate debugfs_wakeup_sources:file r_file_perms;
91')
92
93allow dumpstate dev_type:blk_file getattr;
94allow dumpstate webview_zygote:process signal;
95allow dumpstate sysfs_dmabuf_stats:file r_file_perms;
96dontaudit dumpstate update_engine:binder call;
97
98# Read files in /proc
99allow dumpstate {
100  config_gz
101  proc_net_tcp_udp
102  proc_pid_max
103}:file r_file_perms;
104
105# For comminucating with the system process to do confirmation ui.
106binder_call(dumpstate, incidentcompanion_service)
107
108# Set properties.
109# dumpstate_prop is used to share state with the Shell app.
110set_prop(dumpstate, dumpstate_prop)
111set_prop(dumpstate, exported_dumpstate_prop)
112
113# dumpstate_options_prop is used to pass extra command-line args.
114set_prop(dumpstate, dumpstate_options_prop)
115
116# Allow dumpstate to kill vendor dumpstate service by init
117set_prop(dumpstate, ctl_dumpstate_prop)
118
119# For dumping dynamic partition information.
120set_prop(dumpstate, lpdumpd_prop)
121binder_call(dumpstate, lpdumpd)
122
123# For dumping hypervisor information.
124get_prop(dumpstate, hypervisor_prop)
125
126# For dumping device-mapper and snapshot information.
127allow dumpstate gsid_exec:file rx_file_perms;
128set_prop(dumpstate, ctl_gsid_prop)
129binder_call(dumpstate, gsid)
130
131#Allow access to /dev/binderfs/binder_logs
132userdebug_or_eng(`
133    allow dumpstate binderfs_logs_transactions:file r_file_perms;
134')
135dontaudit dumpstate binderfs_logs_transactions:file r_file_perms;
136allow dumpstate binderfs_logs_transaction_history:file r_file_perms;
137
138r_dir_file(dumpstate, ota_metadata_file)
139
140# For starting (and killing) perfetto --save-for-bugreport. If a labelled trace
141# is being recorded, the command above will serialize it into
142# /data/misc/perfetto-traces/bugreport/*.pftrace .
143domain_auto_trans(dumpstate, perfetto_exec, perfetto)
144allow dumpstate perfetto:process signal;
145allow dumpstate perfetto_traces_data_file:dir { search };
146allow dumpstate perfetto_traces_bugreport_data_file:dir rw_dir_perms;
147allow dumpstate perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
148
149# When exec-ing /system/bin/perfetto, dumpstates redirects stdio to /dev/null
150# (which is labelled as dumpstate_tmpfs) to avoid leaking a FD to the bugreport
151# zip file. These rules are to allow perfetto.te to inherit dumpstate's
152# /dev/null.
153allow perfetto dumpstate_tmpfs:file rw_file_perms;
154allow perfetto dumpstate:fd use;
155
156# system_dlkm_file for /system_dlkm partition
157allow dumpstate system_dlkm_file:dir getattr;
158
159# Allow dumpstate to execute derive_sdk in its own domain
160domain_auto_trans(dumpstate, derive_sdk_exec, derive_sdk)
161
162net_domain(dumpstate)
163binder_use(dumpstate)
164wakelock_use(dumpstate)
165
166# Allow setting process priority, protect from OOM killer, and dropping
167# privileges by switching UID / GID
168allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };
169
170# Allow dumpstate to scan through /proc/pid for all processes
171r_dir_file(dumpstate, domain)
172
173allow dumpstate self:global_capability_class_set {
174    # Send signals to processes
175    kill
176    # Run iptables
177    net_raw
178    net_admin
179};
180
181# Allow executing files on system, such as:
182#   /system/bin/toolbox
183#   /system/bin/logcat
184#   /system/bin/dumpsys
185allow dumpstate system_file:file execute_no_trans;
186not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')
187allow dumpstate toolbox_exec:file rx_file_perms;
188
189# hidl searches for files in /system/lib(64)/hw/
190allow dumpstate system_file:dir r_dir_perms;
191
192# Create and write into /data/anr/
193allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };
194allow dumpstate anr_data_file:dir rw_dir_perms;
195allow dumpstate anr_data_file:file create_file_perms;
196
197# Allow reading /data/system/uiderrors.txt
198# TODO: scope this down.
199allow dumpstate system_data_file:file r_file_perms;
200
201# Allow dumpstate to append into apps' private files.
202allow dumpstate app_data_file_type:file append;
203
204# Read dmesg
205allow dumpstate self:global_capability2_class_set syslog;
206allow dumpstate kernel:system syslog_read;
207
208# Read /sys/fs/pstore/console-ramoops
209allow dumpstate pstorefs:dir r_dir_perms;
210allow dumpstate pstorefs:file r_file_perms;
211
212# Get process attributes
213allow dumpstate domain:process getattr;
214
215# Signal java processes to dump their stack
216allow dumpstate { appdomain system_server zygote app_zygote }:process signal;
217
218# Signal native processes to dump their stack.
219allow dumpstate {
220  # This list comes from native_processes_to_dump in dumputils/dump_utils.c
221  audioserver
222  cameraserver
223  drmserver
224  inputflinger
225  mediadrmserver
226  mediaextractor
227  mediametrics
228  mediaserver
229  mediaswcodec
230  sdcardd
231  surfaceflinger
232  vold
233
234  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c
235  evsmanagerd
236  hal_audio_server
237  hal_audiocontrol_server
238  hal_bluetooth_server
239  hal_broadcastradio_server
240  hal_camera_server
241  hal_codec2_server
242  hal_drm_server
243  hal_evs_server
244  hal_face_server
245  hal_fingerprint_server
246  hal_graphics_allocator_server
247  hal_graphics_composer_server
248  hal_health_server
249  hal_input_processor_server
250  hal_neuralnetworks_server
251  hal_omx_server
252  hal_power_server
253  hal_power_stats_server
254  hal_sensors_server
255  hal_thermal_server
256  hal_vehicle_server
257  hal_vr_server
258  system_suspend_server
259}:process signal;
260
261# Connect to tombstoned to intercept dumps.
262unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)
263
264# Access to /sys
265allow dumpstate sysfs_type:dir r_dir_perms;
266
267allow dumpstate {
268  sysfs_devices_block
269  sysfs_dm
270  sysfs_loop
271  sysfs_usb
272  sysfs_zram
273}:file r_file_perms;
274
275# Ignore other file access under /sys.
276dontaudit dumpstate sysfs:file r_file_perms;
277
278# Other random bits of data we want to collect
279no_debugfs_restriction(`
280  allow dumpstate debugfs:file r_file_perms;
281  auditallow dumpstate debugfs:file r_file_perms;
282
283  allow dumpstate debugfs_mmc:file r_file_perms;
284')
285
286# df for
287allow dumpstate {
288  block_device
289  cache_file
290  metadata_file
291  rootfs
292  selinuxfs
293  storage_file
294  tmpfs
295}:dir { search getattr };
296allow dumpstate fuse_device:chr_file getattr;
297allow dumpstate { dm_device cache_block_device }:blk_file getattr;
298allow dumpstate { cache_file rootfs }:lnk_file { getattr read };
299
300# Read /dev/cpuctl and /dev/cpuset
301r_dir_file(dumpstate, cgroup)
302r_dir_file(dumpstate, cgroup_v2)
303
304# Allow dumpstate to make binder calls to any binder service
305binder_call(dumpstate, binderservicedomain)
306binder_call(dumpstate, { appdomain artd netd wificond })
307
308# Allow dumpstate to call dump() on specific hals.
309dump_hal(hal_audio)
310dump_hal(hal_audiocontrol)
311dump_hal(hal_authgraph)
312dump_hal(hal_authsecret)
313dump_hal(hal_bluetooth)
314dump_hal(hal_broadcastradio)
315dump_hal(hal_camera)
316dump_hal(hal_codec2)
317dump_hal(hal_contexthub)
318dump_hal(hal_drm)
319dump_hal(hal_dumpstate)
320dump_hal(hal_evs)
321dump_hal(hal_face)
322dump_hal(hal_fingerprint)
323dump_hal(hal_gnss)
324dump_hal(hal_graphics_allocator)
325dump_hal(hal_graphics_composer)
326dump_hal(hal_health)
327dump_hal(hal_identity)
328dump_hal(hal_input_processor)
329dump_hal(hal_keymint)
330dump_hal(hal_light)
331dump_hal(hal_memtrack)
332dump_hal(hal_neuralnetworks)
333dump_hal(hal_nfc)
334dump_hal(hal_oemlock)
335dump_hal(hal_power)
336dump_hal(hal_power_stats)
337dump_hal(hal_rebootescrow)
338dump_hal(hal_secretkeeper)
339dump_hal(hal_sensors)
340dump_hal(hal_thermal)
341dump_hal(hal_vehicle)
342dump_hal(hal_weaver)
343dump_hal(hal_wifi)
344
345# Vibrate the device after we are done collecting the bugreport
346hal_client_domain(dumpstate, hal_vibrator)
347
348# Reading /proc/PID/maps of other processes
349allow dumpstate self:global_capability_class_set sys_ptrace;
350
351# Allow the bugreport service to create a file in
352# /data/data/com.android.shell/files/bugreports/bugreport
353allow dumpstate shell_data_file:dir create_dir_perms;
354allow dumpstate shell_data_file:file create_file_perms;
355
356# Run a shell.
357allow dumpstate shell_exec:file rx_file_perms;
358
359# For running am and similar framework commands.
360# Run /system/bin/app_process.
361allow dumpstate zygote_exec:file rx_file_perms;
362
363# For Bluetooth
364allow dumpstate bluetooth_data_file:dir search;
365allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;
366allow dumpstate bluetooth_logs_data_file:file r_file_perms;
367
368# For Nfc
369allow dumpstate nfc_logs_data_file:dir r_dir_perms;
370allow dumpstate nfc_logs_data_file:file r_file_perms;
371
372# For uwb
373allow dumpstate apex_module_data_file:dir search;
374allow dumpstate apex_system_server_data_file:dir search;
375allow dumpstate apex_uwb_data_file:dir r_dir_perms;
376allow dumpstate apex_uwb_data_file:file r_file_perms;
377
378# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access
379allow dumpstate gpu_device:chr_file rw_file_perms;
380allow dumpstate gpu_device:dir r_dir_perms;
381
382# logd access
383read_logd(dumpstate)
384control_logd(dumpstate)
385read_runtime_log_tags(dumpstate)
386
387# Read files in /proc
388allow dumpstate {
389  proc_bootconfig
390  proc_buddyinfo
391  proc_cmdline
392  proc_meminfo
393  proc_modules
394  proc_net_type
395  proc_pipe_conf
396  proc_pagetypeinfo
397  proc_qtaguid_ctrl
398  proc_qtaguid_stat
399  proc_slabinfo
400  proc_version
401  proc_vmallocinfo
402  proc_vmstat
403}:file r_file_perms;
404
405# Read network state info files.
406allow dumpstate net_data_file:dir search;
407allow dumpstate net_data_file:file r_file_perms;
408
409# List sockets via ss.
410allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };
411
412# Access /data/tombstones.
413allow dumpstate tombstone_data_file:dir r_dir_perms;
414allow dumpstate tombstone_data_file:file r_file_perms;
415
416# Access /cache/recovery
417allow dumpstate cache_recovery_file:dir r_dir_perms;
418allow dumpstate cache_recovery_file:file r_file_perms;
419
420# Access /data/misc/recovery
421allow dumpstate recovery_data_file:dir r_dir_perms;
422allow dumpstate recovery_data_file:file r_file_perms;
423
424# Access /data/misc/update_engine & /data/misc/update_engine_log
425allow dumpstate { update_engine_data_file update_engine_log_data_file }:dir r_dir_perms;
426allow dumpstate { update_engine_data_file update_engine_log_data_file }:file r_file_perms;
427# Access /data/misc/snapuserd_log
428allow dumpstate snapuserd_log_data_file:dir r_dir_perms;
429allow dumpstate snapuserd_log_data_file:file r_file_perms;
430
431# Access /data/misc/profiles/{cur,ref}/
432userdebug_or_eng(`
433  allow dumpstate { user_profile_root_file user_profile_data_file}:dir r_dir_perms;
434  allow dumpstate user_profile_data_file:file r_file_perms;
435')
436
437# Access /data/misc/logd
438allow dumpstate misc_logd_file:dir r_dir_perms;
439allow dumpstate misc_logd_file:file r_file_perms;
440
441# Access /data/misc/prereboot
442allow dumpstate prereboot_data_file:dir r_dir_perms;
443allow dumpstate prereboot_data_file:file r_file_perms;
444
445allow dumpstate app_fuse_file:dir r_dir_perms;
446allow dumpstate overlayfs_file:dir r_dir_perms;
447
448allow dumpstate {
449  service_manager_type
450  -apex_service
451  -dumpstate_service
452  -gatekeeper_service
453  -hal_service_type
454  -virtual_touchpad_service
455  -vold_service
456  -default_android_service
457}:service_manager find;
458# suppress denials for services dumpstate should not be accessing.
459dontaudit dumpstate {
460  apex_service
461  dumpstate_service
462  gatekeeper_service
463  hal_service_type
464  virtual_touchpad_service
465  vold_service
466}:service_manager find;
467
468# Most of these are neverallowed.
469dontaudit dumpstate hwservice_manager_type:hwservice_manager find;
470
471allow dumpstate servicemanager:service_manager list;
472allow dumpstate hwservicemanager:hwservice_manager list;
473
474allow dumpstate devpts:chr_file rw_file_perms;
475
476# Read any system properties
477get_prop(dumpstate, property_type)
478
479# Access to /data/media.
480# This should be removed if sdcardfs is modified to alter the secontext for its
481# accesses to the underlying FS.
482allow dumpstate media_rw_data_file:dir getattr;
483allow dumpstate proc_interrupts:file r_file_perms;
484allow dumpstate proc_zoneinfo:file r_file_perms;
485
486# Create a service for talking back to system_server
487add_service(dumpstate, dumpstate_service)
488
489# use /dev/ion for screen capture
490allow dumpstate ion_device:chr_file r_file_perms;
491
492# Allow dumpstate to run top
493allow dumpstate proc_stat:file r_file_perms;
494
495allow dumpstate proc_pressure_cpu:file r_file_perms;
496allow dumpstate proc_pressure_mem:file r_file_perms;
497allow dumpstate proc_pressure_io:file r_file_perms;
498
499# Allow dumpstate to run ps
500allow dumpstate proc_pid_max:file r_file_perms;
501
502# Allow dumpstate to talk to installd over binder
503binder_call(dumpstate, installd);
504
505# Allow dumpstate to run ip xfrm policy
506allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };
507
508# Allow dumpstate to run iotop
509allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;
510# newer kernels (e.g. 4.4) have a new class for sockets
511allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;
512
513# Allow dumpstate to run ss
514allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;
515
516# Allow dumpstate to read linkerconfig directory
517allow dumpstate linkerconfig_file:dir { read open };
518
519# For when dumpstate runs df
520dontaudit dumpstate {
521  mnt_vendor_file
522  mirror_data_file
523  mnt_user_file
524  mnt_product_file
525}:dir search;
526dontaudit dumpstate {
527  apex_mnt_dir
528  linkerconfig_file
529  mirror_data_file
530  mnt_user_file
531}:dir getattr;
532
533# Allow dumpstate to talk to bufferhubd over binder
534binder_call(dumpstate, bufferhubd);
535
536# Allow dumpstate to talk to mediaswcodec over binder
537binder_call(dumpstate, mediaswcodec);
538
539#Access /data/misc/snapshotctl_log
540allow dumpstate snapshotctl_log_data_file:dir r_dir_perms;
541allow dumpstate snapshotctl_log_data_file:file r_file_perms;
542
543#Allow access to /dev/binderfs/binder_logs
544allow dumpstate binderfs_logs:dir r_dir_perms;
545allow dumpstate binderfs_logs:file r_file_perms;
546allow dumpstate binderfs_logs_proc:file r_file_perms;
547allow dumpstate binderfs_logs_stats:file r_file_perms;
548
549use_apex_info(dumpstate)
550
551# Allow reading files under /data/system/shutdown-checkpoints/
552allow dumpstate shutdown_checkpoints_system_data_file:dir r_dir_perms;
553allow dumpstate shutdown_checkpoints_system_data_file:file r_file_perms;
554
555###
556### neverallow rules
557###
558
559# dumpstate has capability sys_ptrace, but should only use that capability for
560# accessing sensitive /proc/PID files, never for using ptrace attach.
561neverallow dumpstate *:process ptrace;
562
563# only system_server, dumpstate, traceur_app and shell can find the dumpstate service
564neverallow {
565  domain
566  -system_server
567  -shell
568  -traceur_app
569  -dumpstate
570} dumpstate_service:service_manager find;
571
572# only dumpstate, system_server and related others to access apex_uwb_data_file
573neverallow {
574  domain
575  -dumpstate
576  -system_server
577  -apexd
578  -init
579  -vold_prepare_subdirs
580} apex_uwb_data_file:dir no_rw_file_perms;
581neverallow {
582  domain
583  -dumpstate
584  -system_server
585  -apexd
586  -init
587  -vold_prepare_subdirs
588} apex_uwb_data_file:file no_rw_file_perms;
589