Merge "logd: add getEventTag command and service" am: 542a46267f am: 2cf8777fe5 am: c480ee7d45

am: adce24c352 Change-Id: Iff0acc735158464b12b9011b69da55fb0ca8eccb
2017-02-01 21:39:47 +00:00 · 2017-02-01 21:39:47 +00:00 · 1c8ad93f53
commit 1c8ad93f53
parent e2d0e74147 adce24c352
4 changed files with 22 additions and 6 deletions
--- a/private/logd.te
+++ b/private/logd.te
@ -9,7 +9,7 @@ neverallow logd {
  file_type
  -logd_tmpfs
  -runtime_event_log_tags_file
-  userdebug_or_eng(`-coredump_file')
+  userdebug_or_eng(`-coredump_file -misc_logd_file')
 }:file { create write append };

 # protect the event-log-tags file
@ -18,6 +18,7 @@ neverallow {
  -appdomain # covered below
  -bootstat
  -dumpstate
+  -init
  -logd
  userdebug_or_eng(`-logpersist')
  -servicemanager
--- a/private/logpersist.te
+++ b/private/logpersist.te
@ -18,5 +18,5 @@ userdebug_or_eng(`

 # logpersist is allowed to write to /data/misc/log for userdebug and eng builds
 neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
-neverallow { domain userdebug_or_eng(`-logpersist -dumpstate') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain userdebug_or_eng(`-logpersist') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
--- a/public/init.te
+++ b/public/init.te
@ -17,6 +17,9 @@ allow init kmsg_device:chr_file { write relabelto };
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
 allow init property_type:file { create_file_perms relabelto };
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto };
 # /dev/socket
 allow init { device socket_device }:dir relabelto;
 # /dev/random, /dev/urandom
@ -233,8 +236,8 @@ allow init sysfs_type:file rw_file_perms;

 # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
 # Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { open create read getattr setattr search };
-allow init misc_logd_file:file { getattr };
+allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
+allow init misc_logd_file:file { open create getattr setattr write };

 # Support "adb shell stop"
 allow init self:capability kill;
--- a/public/logd.te
+++ b/public/logd.te
@ -14,6 +14,14 @@ allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write
 allow logd kernel:system syslog_read;
 allow logd kmsg_device:chr_file w_file_perms;
 allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
+userdebug_or_eng(`
+  # Access to /data/misc/logd/event-log-tags
+  allow logd misc_logd_file:dir r_dir_perms;
+  allow logd misc_logd_file:file rw_file_perms;
+')
+allow logd runtime_event_log_tags_file:file rw_file_perms;

 # Access device logging gating property
 get_prop(logd, device_logging_prop)
@ -58,4 +66,8 @@ neverallow { domain -init } logd:process transition;
 neverallow * logd:process dyntransition;

 # protect the event-log-tags file
-neverallow * runtime_event_log_tags_file:file no_w_file_perms;
+neverallow {
+  domain
+  -init
+  -logd
+} runtime_event_log_tags_file:file no_w_file_perms;