platform_system_sepolicy/private/logd.te

# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
init_daemon_domain(logd)

# logd is not allowed to write anywhere other than /data/misc/logd, and then
# only on userdebug or eng builds
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow logd {
  file_type
  -logd_tmpfs
  -runtime_event_log_tags_file
  userdebug_or_eng(`-coredump_file -misc_logd_file')
}:file { create write append };

# protect the event-log-tags file
neverallow {
  domain
  -appdomain # covered below
  -bootstat
  -dumpstate
  -init
  -logd
  userdebug_or_eng(`-logpersist')
  -servicemanager
  -system_server
  -surfaceflinger
  -zygote
} runtime_event_log_tags_file:file no_rw_file_perms;

neverallow {
  appdomain
  -bluetooth
  -platform_app
  -priv_app
  -radio
  -shell
  userdebug_or_eng(`-su')
  -system_app
} runtime_event_log_tags_file:file no_rw_file_perms;
Split general policy into public and private components. Divide policy into public and private components. This is the first step in splitting the policy creation for platform and non-platform policies. The policy in the public directory will be exported for use in non-platform policy creation. Backwards compatibility with it will be achieved by converting the exported policy into attribute-based policy when included as part of the non-platform policy and a mapping file will be maintained to be included with the platform policy that maps exported attributes of previous versions to the current platform version. Eventually we would like to create a clear interface between the platform and non-platform device components so that the exported policy, and the need for attributes is minimal. For now, almost all types and avrules are left in public. Test: Tested by building policy and running on device. Change-Id: Idef796c9ec169259787c3f9d8f423edf4ce27f8c 2016-07-22 22:13:11 +02:00			`# type_transition must be private policy the domain_trans rules could stay`
			`# public, but conceptually should go with this`
			`init_daemon_domain(logd)`
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317 2016-10-12 23:58:09 +02:00
			`# logd is not allowed to write anywhere other than /data/misc/logd, and then`
			`# only on userdebug or eng builds`
			`# TODO: deal with tmpfs_domain pub/priv split properly`
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e 2016-11-08 00:11:39 +01:00			`neverallow logd {`
			`file_type`
			`-logd_tmpfs`
			`-runtime_event_log_tags_file`
logd: add getEventTag command and service The event log tag service uses /dev/event-log-tags, pstore and /data/misc/logd/event-log-tags as sticky storage for the invented log tags. Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 31456426 Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd 2016-09-13 18:33:35 +02:00			userdebug_or_eng(`-coredump_file -misc_logd_file')
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e 2016-11-08 00:11:39 +01:00			`}:file { create write append };`

			`# protect the event-log-tags file`
			`neverallow {`
			`domain`
			`-appdomain # covered below`
			`-bootstat`
			`-dumpstate`
logd: add getEventTag command and service The event log tag service uses /dev/event-log-tags, pstore and /data/misc/logd/event-log-tags as sticky storage for the invented log tags. Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 31456426 Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd 2016-09-13 18:33:35 +02:00			`-init`
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e 2016-11-08 00:11:39 +01:00			`-logd`
			userdebug_or_eng(`-logpersist')
			`-servicemanager`
			`-system_server`
			`-surfaceflinger`
			`-zygote`
			`} runtime_event_log_tags_file:file no_rw_file_perms;`

			`neverallow {`
			`appdomain`
			`-bluetooth`
			`-platform_app`
			`-priv_app`
			`-radio`
			`-shell`
			userdebug_or_eng(`-su')
			`-system_app`
			`} runtime_event_log_tags_file:file no_rw_file_perms;`