1# Copyright (c) 2023 Huawei Device Co., Ltd. 2# Licensed under the Apache License, Version 2.0 (the "License"); 3# you may not use this file except in compliance with the License. 4# You may obtain a copy of the License at 5# 6# http://www.apache.org/licenses/LICENSE-2.0 7# 8# Unless required by applicable law or agreed to in writing, software 9# distributed under the License is distributed on an "AS IS" BASIS, 10# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11# See the License for the specific language governing permissions and 12# limitations under the License. 13 14developer_only(` 15 16# lldb-server has to access stdin, stdout and stderror SELinuc context of which 17# is appspawn. 18allow lldb_server appspawn:fd { use }; 19allow lldb_server cjappspawn:fd { use }; 20 21# lldb-server at first ran in the platform mode. Each time it accepts a request 22# of a client, it forks, and the child run (reload using the execv syscall) 23# lldb-server. The logs of lldb-server are also allowed to be output to the directory 24# where lldb-server is stored. 25allow lldb_server data_file:dir { search }; 26allow lldb_server data_local:dir { search }; 27allow lldb_server data_local_tmp:dir { search getattr }; 28allow lldb_server lldb_server_file:dir { write create add_name search }; 29allow lldb_server lldb_server_file:file { create append map execute execute_no_trans }; 30allow lldb_server lldb_server:process { fork getsched setsched }; 31 32# lldb-server needs to read the procfs of a debuggable app to know runtime 33# information such as what the binary is and the runtime vm address the binary 34# is loaded at. 35allow lldb_server debug_hap:dir { search read open }; 36allow lldb_server debug_hap:file { read open }; 37allow lldb_server debug_hap:lnk_file { read }; 38 39# lldb-server needs to read system libraries and the Appspawn/CJAppspawn binary so that it 40# can compare these with local module caches which are used for symbol resolving 41# and breaking setting etc. 42allow lldb_server system_bin_file:dir { search }; 43allow lldb_server appspawn_exec:file { getattr read open map }; 44allow lldb_server cjappspawn_exec:file { getattr read open map }; 45 46# Debugging functionalities like breakpoints and stepping are accomplished by 47# sending ptrace syscalls. 48allow lldb_server debug_hap:process { ptrace sigkill signal sigstop }; 49 50# For fs-verify(signature checking) of lldb-server. lldb-server will execute lldb-server. 51allow lldb_server key_enable:key { search }; 52 53') 54 55# Forbid lldb-server to debug other processes except debuggable applications and 56# even child processes launched by lldb-server. 57neverallow lldb_server { domain developer_only(`-debug_hap') }:process { 58 ptrace sigkill signal sigstop }; 59neverallow lldb_server self:process { ptrace sigkill signal sigstop }; 60# Only processes of Appspawn/CJAppspawn and lldb-server can execute lldb-server. 61neverallow { domain developer_only(`-appspawn -cjappspawn -lldb_server') } 62 lldb_server_file:file { map execute execute_no_trans entrypoint }; 63# Only allow Appspawn/CJAppspawn to spawn lldb-server, the context transition is 64# accomplished by the kernel, and dynamic transition in the user land is 65# forbidden. 66neverallow { domain developer_only(`-appspawn -cjappspawn') } 67 lldb_server:process { transition }; 68neverallow domain lldb_server:process { dyntransition }; 69# Only allow hdcd to connect to Unix socket owned lldb-server in the developer 70# mode in case an already launched lldb-server is utilized by other thirdy-party 71# process directly or indirectly to dump sensitive information from debuggable 72# applications. 73neverallow { domain -lldb_server developer_only(`-hdcd') } 74 lldb_server:unix_stream_socket { connectto }; 75