Merge "logd: add getEventTag command and service" am: 542a46267f am: 2cf8777fe5 am: c480ee7d45

am: adce24c352

Change-Id: Iff0acc735158464b12b9011b69da55fb0ca8eccb

private/logd.te

@@ -9,7 +9,7 @@ neverallow logd {
   file_type
   -logd_tmpfs
   -runtime_event_log_tags_file
-  userdebug_or_eng(`-coredump_file')
+  userdebug_or_eng(`-coredump_file -misc_logd_file')
 }:file { create write append };
 
 # protect the event-log-tags file
@@ -18,6 +18,7 @@ neverallow {
   -appdomain # covered below
   -bootstat
   -dumpstate
+  -init
   -logd
   userdebug_or_eng(`-logpersist')
   -servicemanager

private/logpersist.te

@@ -18,5 +18,5 @@ userdebug_or_eng(`
 
 # logpersist is allowed to write to /data/misc/log for userdebug and eng builds
 neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
-neverallow { domain userdebug_or_eng(`-logpersist -dumpstate') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain userdebug_or_eng(`-logpersist') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };

public/init.te

@@ -17,6 +17,9 @@ allow init kmsg_device:chr_file { write relabelto };
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
 allow init property_type:file { create_file_perms relabelto };
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto };
 # /dev/socket
 allow init { device socket_device }:dir relabelto;
 # /dev/random, /dev/urandom
@@ -233,8 +236,8 @@ allow init sysfs_type:file rw_file_perms;
 
 # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
 # Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { open create read getattr setattr search };
+allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
-allow init misc_logd_file:file { getattr };
+allow init misc_logd_file:file { open create getattr setattr write };
 
 # Support "adb shell stop"
 allow init self:capability kill;

public/logd.te

@@ -14,6 +14,14 @@ allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write
 allow logd kernel:system syslog_read;
 allow logd kmsg_device:chr_file w_file_perms;
 allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
+userdebug_or_eng(`
+  # Access to /data/misc/logd/event-log-tags
+  allow logd misc_logd_file:dir r_dir_perms;
+  allow logd misc_logd_file:file rw_file_perms;
+')
+allow logd runtime_event_log_tags_file:file rw_file_perms;
 
 # Access device logging gating property
 get_prop(logd, device_logging_prop)
@@ -58,4 +66,8 @@ neverallow { domain -init } logd:process transition;
 neverallow * logd:process dyntransition;
 
 # protect the event-log-tags file
-neverallow * runtime_event_log_tags_file:file no_w_file_perms;
+neverallow {
+  domain
+  -init
+  -logd
+} runtime_event_log_tags_file:file no_w_file_perms;