summaryrefslogtreecommitdiff
path: root/prebuilts/api/32.0/private/crash_dump.te
diff options
context:
space:
mode:
Diffstat (limited to 'prebuilts/api/32.0/private/crash_dump.te')
-rw-r--r--prebuilts/api/32.0/private/crash_dump.te62
1 files changed, 62 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/crash_dump.te b/prebuilts/api/32.0/private/crash_dump.te
new file mode 100644
index 000000000..9233a4dae
--- /dev/null
+++ b/prebuilts/api/32.0/private/crash_dump.te
@@ -0,0 +1,62 @@
+typeattribute crash_dump coredomain;
+
+# Crash dump does not need to access devices passed across exec().
+dontaudit crash_dump { devpts dev_type }:chr_file { read write };
+
+allow crash_dump {
+ domain
+ -apexd
+ -bpfloader
+ -crash_dump
+ -init
+ -kernel
+ -keystore
+ -llkd
+ -logd
+ -ueventd
+ -vendor_init
+ -vold
+}:process { ptrace signal sigchld sigstop sigkill };
+
+# TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?)
+userdebug_or_eng(`
+ allow crash_dump {
+ apexd
+ keystore
+ llkd
+ logd
+ vold
+ }:process { ptrace signal sigchld sigstop sigkill };
+')
+
+###
+### neverallow assertions
+###
+
+# ptrace neverallow assertions are spread throughout the other policy
+# files, so we avoid adding redundant assertions here
+
+neverallow crash_dump {
+ apexd
+ userdebug_or_eng(`-apexd')
+ bpfloader
+ init
+ kernel
+ keystore
+ userdebug_or_eng(`-keystore')
+ llkd
+ userdebug_or_eng(`-llkd')
+ logd
+ userdebug_or_eng(`-logd')
+ ueventd
+ vendor_init
+ vold
+ userdebug_or_eng(`-vold')
+}:process { signal sigstop sigkill };
+
+neverallow crash_dump self:process ptrace;
+neverallow crash_dump gpu_device:chr_file *;
+
+# Read ART APEX data directory
+allow crash_dump apex_art_data_file:dir { getattr search };
+allow crash_dump apex_art_data_file:file r_file_perms;
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-03 05:33:28 +0000