typeattribute crash_dump coredomain; # Crash dump does not need to access devices passed across exec(). dontaudit crash_dump { devpts dev_type }:chr_file { read write }; allow crash_dump { domain -apexd -bpfloader -crash_dump -init -kernel -keystore -llkd -logd -ueventd -vendor_init -vold }:process { ptrace signal sigchld sigstop sigkill }; # TODO(b/186868271): Remove the keystore exception soon-ish (maybe by May 14, 2021?) userdebug_or_eng(` allow crash_dump { apexd keystore llkd logd vold }:process { ptrace signal sigchld sigstop sigkill }; ') ### ### neverallow assertions ### # ptrace neverallow assertions are spread throughout the other policy # files, so we avoid adding redundant assertions here neverallow crash_dump { apexd userdebug_or_eng(`-apexd') bpfloader init kernel keystore userdebug_or_eng(`-keystore') llkd userdebug_or_eng(`-llkd') logd userdebug_or_eng(`-logd') ueventd vendor_init vold userdebug_or_eng(`-vold') }:process { signal sigstop sigkill }; neverallow crash_dump self:process ptrace; neverallow crash_dump gpu_device:chr_file *; # Read ART APEX data directory allow crash_dump apex_art_data_file:dir { getattr search }; allow crash_dump apex_art_data_file:file r_file_perms;