blame | history | raw
huangcm
2025-09-01 53d8e046ac1bf2ebe94f671983e3d3be059df91a 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322

# dumpstate


type dumpstate, domain, mlstrustedsubject;


type dumpstate_exec, system_file_type, exec_type, file_type;


 


net_domain(dumpstate)


binder_use(dumpstate)


wakelock_use(dumpstate)


 


# Allow setting process priority, protect from OOM killer, and dropping


# privileges by switching UID / GID


allow dumpstate self:global_capability_class_set { setuid setgid sys_resource };


 


# Allow dumpstate to scan through /proc/pid for all processes


r_dir_file(dumpstate, domain)


 


allow dumpstate self:global_capability_class_set {


    # Send signals to processes


    kill


    # Run iptables


    net_raw


    net_admin


};


 


# Allow executing files on system, such as:


#   /system/bin/toolbox


#   /system/bin/logcat


#   /system/bin/dumpsys


allow dumpstate system_file:file execute_no_trans;


not_full_treble(`allow dumpstate vendor_file:file execute_no_trans;')


allow dumpstate toolbox_exec:file rx_file_perms;


 


# hidl searches for files in /system/lib(64)/hw/


allow dumpstate system_file:dir r_dir_perms;


 


# Create and write into /data/anr/


allow dumpstate self:global_capability_class_set { dac_override dac_read_search chown fowner fsetid };


allow dumpstate anr_data_file:dir rw_dir_perms;


allow dumpstate anr_data_file:file create_file_perms;


 


# Allow reading /data/system/uiderrors.txt


# TODO: scope this down.


allow dumpstate system_data_file:file r_file_perms;


 


# Allow dumpstate to append into privileged apps private files.


allow dumpstate privapp_data_file:file append;


 


# Read dmesg


allow dumpstate self:global_capability2_class_set syslog;


allow dumpstate kernel:system syslog_read;


 


# Read /sys/fs/pstore/console-ramoops


allow dumpstate pstorefs:dir r_dir_perms;


allow dumpstate pstorefs:file r_file_perms;


 


# Get process attributes


allow dumpstate domain:process getattr;


 


# Signal java processes to dump their stack


allow dumpstate { appdomain system_server zygote }:process signal;


 


# Signal native processes to dump their stack.


allow dumpstate {


  # This list comes from native_processes_to_dump in dumputils/dump_utils.c


  audioserver


  cameraserver


  drmserver


  inputflinger


  mediadrmserver


  mediaextractor


  mediametrics


  mediaserver


  mediaswcodec


  sdcardd


  surfaceflinger


  vold


 


  # This list comes from hal_interfaces_to_dump in dumputils/dump_utils.c


  hal_audio_server


  hal_bluetooth_server


  hal_camera_server


  hal_codec2_server


  hal_drm_server


  hal_face_server


  hal_graphics_allocator_server


  hal_graphics_composer_server


  hal_health_server


  hal_omx_server


  hal_power_server


  hal_power_stats_server


  hal_sensors_server


  hal_thermal_server


  hal_vr_server


}:process signal;


 


# Connect to tombstoned to intercept dumps.


unix_socket_connect(dumpstate, tombstoned_intercept, tombstoned)


 


# Access to /sys


allow dumpstate sysfs_type:dir r_dir_perms;


 


allow dumpstate {


  sysfs_devices_block


  sysfs_dm


  sysfs_loop


  sysfs_usb


  sysfs_zram


}:file r_file_perms;


 


# Other random bits of data we want to collect


allow dumpstate debugfs:file r_file_perms;


auditallow dumpstate debugfs:file r_file_perms;


 


allow dumpstate debugfs_mmc:file r_file_perms;


 


# df for


allow dumpstate {


  block_device


  cache_file


  metadata_file


  rootfs


  selinuxfs


  storage_file


  tmpfs


}:dir { search getattr };


allow dumpstate fuse_device:chr_file getattr;


allow dumpstate { dm_device cache_block_device }:blk_file getattr;


allow dumpstate { cache_file rootfs }:lnk_file { getattr read };


 


# Read /dev/cpuctl and /dev/cpuset


r_dir_file(dumpstate, cgroup)


 


# Allow dumpstate to make binder calls to any binder service


binder_call(dumpstate, binderservicedomain)


binder_call(dumpstate, { appdomain netd wificond })


 


hal_client_domain(dumpstate, hal_dumpstate)


hal_client_domain(dumpstate, hal_wifi)


hal_client_domain(dumpstate, hal_graphics_allocator)


# Vibrate the device after we are done collecting the bugreport


hal_client_domain(dumpstate, hal_vibrator)


 


# Reading /proc/PID/maps of other processes


allow dumpstate self:global_capability_class_set sys_ptrace;


 


# Allow the bugreport service to create a file in


# /data/data/com.android.shell/files/bugreports/bugreport


allow dumpstate shell_data_file:dir create_dir_perms;


allow dumpstate shell_data_file:file create_file_perms;


 


# Run a shell.


allow dumpstate shell_exec:file rx_file_perms;


 


# For running am and similar framework commands.


# Run /system/bin/app_process.


allow dumpstate zygote_exec:file rx_file_perms;


 


# For Bluetooth


allow dumpstate bluetooth_data_file:dir search;


allow dumpstate bluetooth_logs_data_file:dir r_dir_perms;


allow dumpstate bluetooth_logs_data_file:file r_file_perms;


 


# Dumpstate calls screencap, which grabs a screenshot. Needs gpu access


allow dumpstate gpu_device:chr_file rw_file_perms;


 


# logd access


read_logd(dumpstate)


control_logd(dumpstate)


read_runtime_log_tags(dumpstate)


 


# Read files in /proc


allow dumpstate {


  proc_buddyinfo


  proc_cmdline


  proc_meminfo


  proc_modules


  proc_net_type


  proc_pipe_conf


  proc_pagetypeinfo


  proc_qtaguid_ctrl


  proc_qtaguid_stat


  proc_slabinfo


  proc_version


  proc_vmallocinfo


  proc_vmstat


}:file r_file_perms;


 


# Read network state info files.


allow dumpstate net_data_file:dir search;


allow dumpstate net_data_file:file r_file_perms;


 


# List sockets via ss.


allow dumpstate self:netlink_tcpdiag_socket { create_socket_perms_no_ioctl nlmsg_read };


 


# Access /data/tombstones.


allow dumpstate tombstone_data_file:dir r_dir_perms;


allow dumpstate tombstone_data_file:file r_file_perms;


 


# Access /cache/recovery


allow dumpstate cache_recovery_file:dir r_dir_perms;


allow dumpstate cache_recovery_file:file r_file_perms;


 


# Access /data/misc/recovery


allow dumpstate recovery_data_file:dir r_dir_perms;


allow dumpstate recovery_data_file:file r_file_perms;


 


#Access /data/misc/update_engine_log


allow dumpstate update_engine_log_data_file:dir r_dir_perms;


allow dumpstate update_engine_log_data_file:file r_file_perms;


 


# Access /data/misc/profiles/{cur,ref}/


userdebug_or_eng(`


  allow dumpstate user_profile_data_file:dir r_dir_perms;


  allow dumpstate user_profile_data_file:file r_file_perms;


')


 


# Access /data/misc/logd


userdebug_or_eng(`


  allow dumpstate misc_logd_file:dir r_dir_perms;


  allow dumpstate misc_logd_file:file r_file_perms;


')


 


allow dumpstate app_fuse_file:dir r_dir_perms;


allow dumpstate overlayfs_file:dir r_dir_perms;


 


allow dumpstate {


  service_manager_type


  -apex_service


  -dumpstate_service


  -gatekeeper_service


  -iorapd_service


  -virtual_touchpad_service


  -vold_service


  -vr_hwc_service


}:service_manager find;


# suppress denials for services dumpstate should not be accessing.


dontaudit dumpstate {


  apex_service


  dumpstate_service


  gatekeeper_service


  iorapd_service


  virtual_touchpad_service


  vold_service


  vr_hwc_service


}:service_manager find;


 


# Most of these are neverallowed.


dontaudit dumpstate hwservice_manager_type:hwservice_manager find;


 


allow dumpstate servicemanager:service_manager list;


allow dumpstate hwservicemanager:hwservice_manager list;


 


allow dumpstate devpts:chr_file rw_file_perms;


 


# Set properties.


# dumpstate_prop is used to share state with the Shell app.


set_prop(dumpstate, dumpstate_prop)


set_prop(dumpstate, exported_dumpstate_prop)


# dumpstate_options_prop is used to pass extra command-line args.


set_prop(dumpstate, dumpstate_options_prop)


 


# Read any system properties


get_prop(dumpstate, property_type)


 


# Access to /data/media.


# This should be removed if sdcardfs is modified to alter the secontext for its


# accesses to the underlying FS.


allow dumpstate media_rw_data_file:dir getattr;


allow dumpstate proc_interrupts:file r_file_perms;


allow dumpstate proc_zoneinfo:file r_file_perms;


 


# Create a service for talking back to system_server


add_service(dumpstate, dumpstate_service)


 


# use /dev/ion for screen capture


allow dumpstate ion_device:chr_file r_file_perms;


 


# Allow dumpstate to run top


allow dumpstate proc_stat:file r_file_perms;


 


# Allow dumpstate to talk to installd over binder


binder_call(dumpstate, installd);


 


# Allow dumpstate to run ip xfrm policy


allow dumpstate self:netlink_xfrm_socket { create_socket_perms_no_ioctl nlmsg_read };


 


# Allow dumpstate to run iotop


allow dumpstate self:netlink_socket create_socket_perms_no_ioctl;


# newer kernels (e.g. 4.4) have a new class for sockets


allow dumpstate self:netlink_generic_socket create_socket_perms_no_ioctl;


 


# Allow dumpstate to run ss


allow dumpstate { domain pdx_channel_socket_type pdx_endpoint_socket_type }:socket_class_set getattr;


 


# For when dumpstate runs df


dontaudit dumpstate mnt_vendor_file:dir search;


dontaudit dumpstate apex_mnt_dir:dir getattr;


 


# Allow dumpstate to talk to bufferhubd over binder


binder_call(dumpstate, bufferhubd);


 


# Allow dumpstate to talk to mediaswcodec over binder


binder_call(dumpstate, mediaswcodec);


 


# Allow dumpstate to kill vendor dumpstate service by init


set_prop(dumpstate, ctl_dumpstate_prop)


 


###


### neverallow rules


###


 


# dumpstate has capability sys_ptrace, but should only use that capability for


# accessing sensitive /proc/PID files, never for using ptrace attach.


neverallow dumpstate *:process ptrace;


 


# only system_server, dumpstate, traceur_app and shell can find the dumpstate service


neverallow {


  domain


  -system_server


  -shell


  -traceur_app


  -dumpstate


} dumpstate_service:service_manager find;