platform_system_sepolicy/public/logd.te

# android user-space log manager
type logd, domain, mlstrustedsubject;
type logd_exec, exec_type, file_type;

# Read access to pseudo filesystems.
r_dir_file(logd, cgroup)
r_dir_file(logd, proc)
r_dir_file(logd, proc_meminfo)
r_dir_file(logd, proc_net)

allow logd self:capability { setuid setgid setpcap sys_nice audit_control };
allow logd self:capability2 syslog;
allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;
allow logd system_data_file:{ file lnk_file } r_file_perms;

# Access device logging gating property
get_prop(logd, device_logging_prop)

r_dir_file(logd, domain)

allow logd kernel:system syslog_mod;

control_logd(logd)

###
### Neverallow rules
###
### logd should NEVER do any of this

# Block device access.
neverallow logd dev_type:blk_file { read write };

# ptrace any other app
neverallow logd domain:process ptrace;

# ... and nobody may ptrace me (except on userdebug or eng builds)
neverallow { domain userdebug_or_eng(`-debuggerd') } logd:process ptrace;

# Write to /system.
neverallow logd system_file:dir_file_class_set write;

# Write to files in /data/data or system files on /data
neverallow logd { app_data_file system_data_file }:dir_file_class_set write;

# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
neverallow * logd:process dyntransition;
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00			`# android user-space log manager`
logd: remove domain_deprecated attribute Test: builds/boots on Angler. No "granted" messages for the removed permissions observed in three months of log audits. Bug: 28760354 Change-Id: I76c2752f806b83a6c21fcb17b6f445368936f61b 2016-09-24 23:26:45 +02:00			`type logd, domain, mlstrustedsubject;`
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00			`type logd_exec, exec_type, file_type;`

logd: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02 2016-01-28 04:23:10 +01:00			`# Read access to pseudo filesystems.`
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00			`r_dir_file(logd, cgroup)`
logd: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02 2016-01-28 04:23:10 +01:00			`r_dir_file(logd, proc)`
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00			`r_dir_file(logd, proc_meminfo)`
logd: grant perms from domain_deprecated In preparation of removing permissions from domain_deprecated. Addresses: avc: denied { read } for name="psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/147/net/psched" dev="proc" ino=4026536519 scontext=u:r:logd:s0 tcontext=u:object_r:proc_net:s0 tclass=file permissive=1 avc: denied { read } for name="kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { open } for path="/proc/kmsg" dev="proc" ino=4026536603 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/meminfo" dev="proc" ino=4026536598 scontext=u:r:logd:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=1 Change-Id: Iaa67a6b8369c0449b09b64b807bc5819d6d68f02 2016-01-28 04:23:10 +01:00			`r_dir_file(logd, proc_net)`

logd: Add setpcap for Minijail use. Bug: 30156807 Change-Id: Ie9faf72d35579fa69b4397bdffc8d674f040736c 2016-07-20 23:12:59 +02:00			`allow logd self:capability { setuid setgid setpcap sys_nice audit_control };`
logd: add auditd Change-Id: Iec4bfc08ced20c0d4c74e07baca6cff812c9ba00 2014-04-01 20:02:57 +02:00			`allow logd self:capability2 syslog;`
Enforce ioctl command whitelisting on all sockets Remove the ioctl permission for most socket types. For others, such as tcp/udp/rawip/unix_dgram/unix_stream set a default unprivileged whitelist that individual domains may extend (except where neverallowed like untrusted_app). Enforce via a neverallowxperm rule. Change-Id: I15548d830f8eff1fd4d64005c5769ca2be8d4ffe 2016-05-17 06:12:17 +02:00			`allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };`
logd: add auditd Change-Id: Iec4bfc08ced20c0d4c74e07baca6cff812c9ba00 2014-04-01 20:02:57 +02:00			`allow logd kernel:system syslog_read;`
logd: auditd: add permissions to access /dev/kmsg Change-Id: I3c16a8e1104352d3d71cd3cd0298f4c31de56f5d 2014-04-07 23:04:30 +02:00			`allow logd kmsg_device:chr_file w_file_perms;`
audit domain_deprecated perms for removal Grant permissions observed. Bug: 28760354 Change-Id: Ie63cda709319bbf635ef7bffbba3477c2cccc11b 2016-09-10 01:27:17 +02:00			`allow logd system_data_file:{ file lnk_file } r_file_perms;`
sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00
SELinux rule for ro.device_owner and persist.logd.security They are introduced for the device owner process logging feature. That is, for enterprise-owned devices with device owner app provisioned, the device owner may choose to turn on additional device-wide logging for auditing and intrusion detection purposes. Logging includes histories of app process startup, commands issued over ADB and lockscreen unlocking attempts. These logs will available to the device owner for analysis, potentially shipped to a remote server if it chooses to. ro.device_owner will be a master switch to turn off logging, if the device has no device owner provisioned. persist.logd.security is a switch that device owner can toggle (via DevicePoliyManager) to enable/disable logging. Writing to both properties should be only allowed by the system server. Bug: 22860162 Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038 2016-01-04 16:20:45 +01:00			`# Access device logging gating property`
			`get_prop(logd, device_logging_prop)`

sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00			`r_dir_file(logd, domain)`

logd: Add klogd Change-Id: Ib9bc89b05771a12c6bb9a25cf59ea51afd22ae15 2014-10-16 00:49:37 +02:00			`allow logd kernel:system syslog_mod;`

logd: allow access to system files - allow access for /data/system/packages.xml. - deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging) - allow access to /dev/socket/logd for 'logd --reinit' Bug: 19681572 Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54 2015-03-10 21:46:37 +01:00			`control_logd(logd)`

sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00			`###`
			`### Neverallow rules`
			`###`
			`### logd should NEVER do any of this`

			`# Block device access.`
			`neverallow logd dev_type:blk_file { read write };`

			`# ptrace any other app`
			`neverallow logd domain:process ptrace;`

Prevent ptrace of logd on user builds system/core commit 6a70ded7bfa8914aaa3dc25630ff2713ae893f80 (later amended by 107e29ac1b1c297a0d4ee35c4978e79f47013e2c indicated that logd doesn't want it's memory accessible by anyone else. Unfortunately, setting DUMPABLE isn't sufficient against a root level process such with ptrace. Only one such process exists, "debuggerd". Block debuggerd from accessing logd's memory on user builds. Userdebug and eng builds are unaffected. Add a neverallow rule (compile time assertion + CTS test) to prevent regressions. Bug: 32450474 Test: Policy compiles. Change-Id: Ie90850cd91846a43adaa0871d239f894a0c94d38 2016-12-05 23:01:28 +01:00			`# ... and nobody may ptrace me (except on userdebug or eng builds)`
			neverallow { domain userdebug_or_eng(`-debuggerd') } logd:process ptrace;

sepolicy: Add write_logd, read_logd & control_logd - Add write_logd, read_logd and control_logd macros added along with contexts for user space logd. - Specify above on domain wide, or service-by-service basis - Add logd rules. - deprecate access_logcat as unused. - 'allow <domain> zygote:unix_dgram_socket write;' rule added to deal with fd inheritance. ToDo: investigate means to allow references to close, and reopen in context of application or call setsockcreatecon() to label them in child context. Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8 2013-11-13 00:34:52 +01:00			`# Write to /system.`
			`neverallow logd system_file:dir_file_class_set write;`

			`# Write to files in /data/data or system files on /data`
			`neverallow logd { app_data_file system_data_file }:dir_file_class_set write;`
init: only allowed to transition to logpersist or logd Generate a compile time error if someone unexpectedly tries to transition into logpersist or logd domain. Test: compile Bug: 30566487 Change-Id: Ib55f301f104ad63de5ac513cdc9dc9937e3ba48d 2016-12-06 17:57:23 +01:00
			`# Only init is allowed to enter the logd domain via exec()`
			`neverallow { domain -init } logd:process transition;`
			`neverallow * logd:process dyntransition;`