platform_system_sepolicy/public/logd.te

# android user-space log manager
type logd, domain, mlstrustedsubject;
type logd_exec, exec_type, file_type;

# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
r_dir_file(logd, proc_kmsg)
r_dir_file(logd, proc_meminfo)

allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
allow logd self:global_capability2_class_set syslog;
allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;
allow logd system_data_file:{ file lnk_file } r_file_perms;
allow logd pstorefs:dir search;
allow logd pstorefs:file r_file_perms;
userdebug_or_eng(`
  # Access to /data/misc/logd/event-log-tags
  allow logd misc_logd_file:dir r_dir_perms;
  allow logd misc_logd_file:file rw_file_perms;
')
allow logd runtime_event_log_tags_file:file rw_file_perms;

# Access device logging gating property
get_prop(logd, device_logging_prop)

r_dir_file(logd, domain)

allow logd kernel:system syslog_mod;

control_logd(logd)
read_runtime_log_tags(logd)

allow runtime_event_log_tags_file tmpfs:filesystem associate;
# Typically harmlessly blindly trying to access via liblog
# event tag mapping while in the untrusted_app domain.
# Access for that domain is controlled and gated via the
# event log tag service (albeit at a performance penalty,
# expected to be locally cached).
dontaudit domain runtime_event_log_tags_file:file { open read };

###
### Neverallow rules
###
### logd should NEVER do any of this

# Block device access.
neverallow logd dev_type:blk_file { read write };

# ptrace any other app
neverallow logd domain:process ptrace;

# ... and nobody may ptrace me (except on userdebug or eng builds)
neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;

# Write to /system.
neverallow logd system_file:dir_file_class_set write;

# Write to files in /data/data or system files on /data
neverallow logd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;

# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
neverallow * logd:process dyntransition;

# protect the event-log-tags file
neverallow {
  domain
  -init
  -logd
} runtime_event_log_tags_file:file no_w_file_perms;
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00			`# android user-space log manager`
logd: remove domain_deprecated attribute Test: builds/boots on Angler. No "granted" messages for the removed permissions observed in three months of log audits. Bug: 28760354 Change-Id: I76c2752f806b83a6c21fcb17b6f445368936f61b 2016-09-24 23:26:45 +02:00			`type logd, domain, mlstrustedsubject;`
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00			`type logd_exec, exec_type, file_type;`

logd: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02 2016-01-28 04:23:10 +01:00			`# Read access to pseudo filesystems.`
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00			`r_dir_file(logd, cgroup)`
Explicitly label logd's dependencies in /proc. labeled /proc/kmsg as proc_kmsg, changed logd's access from proc to proc_kmsg, and added a compat mapping. Bug: 65643247 Test: device boots without selinux denials to the newly introduced proc_kmsg Test: logd-unit-tests passes Merged-In: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e Change-Id: I92c9f5694289eb6a94c4d90f14e2de4d46b5228e (partial CP of commit 528da6fe3a0dbe4ae15355dff0152ab5f55197da) 2017-09-13 23:34:56 +02:00			`r_dir_file(logd, proc_kmsg)`
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00			`r_dir_file(logd, proc_meminfo)`
logd: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02 2016-01-28 04:23:10 +01:00
sepolicy: Add rules for non-init namespaces In kernel 4.7, the capability and capability2 classes were split apart from cap_userns and cap2_userns (see kernel commit 8e4ff6f228e4722cac74db716e308d1da33d744f). Since then, Android cannot be run in a container with SELinux in enforcing mode. This change applies the existing capability rules to user namespaces as well as the root namespace so that Android running in a container behaves the same on pre- and post-4.7 kernels. This is essentially: 1. New global_capability_class_set and global_capability2_class_set that match capability+cap_userns and capability2+cap2_userns, respectively. 2. s/self:capability/self:global_capability_class_set/g 3. s/self:capability2/self:global_capability2_class_set/g 4. Add cap_userns and cap2_userns to the existing capability_class_set so that it covers all capabilities. This set was used by several neverallow and dontaudit rules, and I confirmed that the new classes are still appropriate. Test: diff new policy against old and confirm that all new rules add only cap_userns or cap2_userns; Boot ARC++ on a device with the 4.12 kernel. Bug: crbug.com/754831 Change-Id: I4007eb3a2ecd01b062c4c78d9afee71c530df95f 2017-11-09 23:51:26 +01:00			`allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };`
			`allow logd self:global_capability2_class_set syslog;`
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe 2016-05-17 06:12:17 +02:00			`allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };`
logd: add auditd Change-Id: Iec4bfc08ced20c0d4c74e07baca6cff812c9ba00 2014-04-01 20:02:57 +02:00			`allow logd kernel:system syslog_read;`
logd: auditd: add permissions to access /dev/kmsg Change-Id: I3c16a8e1104352d3d71cd3cd0298f4c31de56f5d 2014-04-07 23:04:30 +02:00			`allow logd kmsg_device:chr_file w_file_perms;`
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00			`allow logd system_data_file:{ file lnk_file } r_file_perms;`
logd: add getEventTag command and service The event log tag service uses /dev/event-log-tags, pstore and /data/misc/logd/event-log-tags as sticky storage for the invented log tags. Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 31456426 Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd 2016-09-13 18:33:35 +02:00			`allow logd pstorefs:dir search;`
			`allow logd pstorefs:file r_file_perms;`
			userdebug_or_eng(`
			`# Access to /data/misc/logd/event-log-tags`
			`allow logd misc_logd_file:dir r_dir_perms;`
			`allow logd misc_logd_file:file rw_file_perms;`
			`')`
			`allow logd runtime_event_log_tags_file:file rw_file_perms;`
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00
SELinux rule for ro.device_owner and persist.logd.security They are introduced for the device owner process logging feature. That is, for enterprise-owned devices with device owner app provisioned, the device owner may choose to turn on additional device-wide logging for auditing and intrusion detection purposes. Logging includes histories of app process startup, commands issued over ADB and lockscreen unlocking attempts. These logs will available to the device owner for analysis, potentially shipped to a remote server if it chooses to. ro.device_owner will be a master switch to turn off logging, if the device has no device owner provisioned. persist.logd.security is a switch that device owner can toggle (via DevicePoliyManager) to enable/disable logging. Writing to both properties should be only allowed by the system server. Bug: 22860162 Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038 2016-01-04 16:20:45 +01:00			`# Access device logging gating property`
			`get_prop(logd, device_logging_prop)`

sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00			`r_dir_file(logd, domain)`

logd: Add klogd Change-Id: Ib9bc89b05771a12c6bb9a25cf59ea51afd22ae15 2014-10-16 00:49:37 +02:00			`allow logd kernel:system syslog_mod;`

logd: allow access to system files - allow access for /data/system/packages.xml. - deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging) - allow access to /dev/socket/logd for 'logd --reinit' Bug: 19681572 Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54 2015-03-10 21:46:37 +01:00			`control_logd(logd)`
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e 2016-11-08 00:11:39 +01:00			`read_runtime_log_tags(logd)`

			`allow runtime_event_log_tags_file tmpfs:filesystem associate;`
			`# Typically harmlessly blindly trying to access via liblog`
			`# event tag mapping while in the untrusted_app domain.`
			`# Access for that domain is controlled and gated via the`
			`# event log tag service (albeit at a performance penalty,`
			`# expected to be locally cached).`
			`dontaudit domain runtime_event_log_tags_file:file { open read };`
logd: allow access to system files - allow access for /data/system/packages.xml. - deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging) - allow access to /dev/socket/logd for 'logd --reinit' Bug: 19681572 Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54 2015-03-10 21:46:37 +01:00
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00			`###`
			`### Neverallow rules`
			`###`
			`### logd should NEVER do any of this`

			`# Block device access.`
			`neverallow logd dev_type:blk_file { read write };`

			`# ptrace any other app`
			`neverallow logd domain:process ptrace;`

Prevent ptrace of logd on user builds system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd doesn't want it's memory accessible by anyone else. Unfortunately, setting DUMPABLE isn't sufficient against a root level process such with ptrace. Only one such process exists, "debuggerd". Block debuggerd from accessing logd's memory on user builds. Userdebug and eng builds are unaffected. Add a neverallow rule (compile time assertion + CTS test) to prevent regressions. Bug: 32450474 Test: Policy compiles. Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38 2016-12-05 23:01:28 +01:00			`# ... and nobody may ptrace me (except on userdebug or eng builds)`
Introduce crash_dump debugging helper. Replace the global debuggerd with a per-process debugging helper that gets exec'ed by the process that crashed. Bug: http://b/30705528 Test: crasher/crasher64, `debuggerd <pid>`, `kill -ABRT <pid>` Change-Id: Iad1b7478f7a4e2690720db4b066417d8b66834ed 2016-10-19 23:39:30 +02:00			neverallow { domain userdebug_or_eng(`-crash_dump') } logd:process ptrace;
Prevent ptrace of logd on user builds system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd doesn't want it's memory accessible by anyone else. Unfortunately, setting DUMPABLE isn't sufficient against a root level process such with ptrace. Only one such process exists, "debuggerd". Block debuggerd from accessing logd's memory on user builds. Userdebug and eng builds are unaffected. Add a neverallow rule (compile time assertion + CTS test) to prevent regressions. Bug: 32450474 Test: Policy compiles. Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38 2016-12-05 23:01:28 +01:00
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00			`# Write to /system.`
			`neverallow logd system_file:dir_file_class_set write;`

			`# Write to files in /data/data or system files on /data`
Start partitioning off privapp_data_file from app_data_file Currently, both untrusted apps and priv-apps use the SELinux file label "app_data_file" for files in their /data/data directory. This is problematic, as we really want different rules for such files. For example, we may want to allow untrusted apps to load executable code from priv-app directories, but disallow untrusted apps from loading executable code from their own home directories. This change adds a new file type "privapp_data_file". For compatibility, we adjust the policy to support access privapp_data_files almost everywhere we were previously granting access to app_data_files (adbd and run-as being exceptions). Additional future tightening is possible here by removing some of these newly added rules. This label will start getting used in a followup change to system/sepolicy/private/seapp_contexts, similar to: -user=_app isPrivApp=true domain=priv_app type=app_data_file levelFrom=user +user=_app isPrivApp=true domain=priv_app type=privapp_data_file levelFrom=user For now, this newly introduced label has no usage, so this change is essentially a no-op. Test: Factory reset and boot - no problems on fresh install. Test: Upgrade to new version and test. No compatibility problems on filesystem upgrade. Change-Id: I9618b7d91d1c2bcb5837cdabc949f0cf741a2837 2018-08-03 00:54:23 +02:00			`neverallow logd { app_data_file privapp_data_file system_data_file }:dir_file_class_set write;`
init: only allowed to transition to logpersist or logd Generate a compile time error if someone unexpectedly tries to transition into logpersist or logd domain. Test: compile Bug: 30566487 Change-Id: Ib55f301f104ad63de5ac513cdc9dc9937e3ba48d 2016-12-06 17:57:23 +01:00
			`# Only init is allowed to enter the logd domain via exec()`
			`neverallow { domain -init } logd:process transition;`
			`neverallow * logd:process dyntransition;`
logd: restrict access to /dev/event-log-tags Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e 2016-11-08 00:11:39 +01:00
			`# protect the event-log-tags file`
logd: add getEventTag command and service The event log tag service uses /dev/event-log-tags, pstore and /data/misc/logd/event-log-tags as sticky storage for the invented log tags. Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 31456426 Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd 2016-09-13 18:33:35 +02:00			`neverallow {`
			`domain`
			`-init`
			`-logd`
			`} runtime_event_log_tags_file:file no_w_file_perms;`