logd: allow access to system files

- allow access for /data/system/packages.xml.
- deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging)
- allow access to /dev/socket/logd for 'logd --reinit'

Bug: 19681572
Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54
This commit is contained in:
Mark Salyzyn 2015-03-10 13:46:37 -07:00
parent 5434a8a913
commit 61d665af16
4 changed files with 3 additions and 12 deletions

View file

@ -142,7 +142,6 @@ type fwmarkd_socket, file_type, mlstrustedobject;
type gps_socket, file_type; type gps_socket, file_type;
type installd_socket, file_type; type installd_socket, file_type;
type lmkd_socket, file_type; type lmkd_socket, file_type;
type logd_debug, file_type, mlstrustedobject;
type logd_socket, file_type, mlstrustedobject; type logd_socket, file_type, mlstrustedobject;
type logdr_socket, file_type, mlstrustedobject; type logdr_socket, file_type, mlstrustedobject;
type logdw_socket, file_type, mlstrustedobject; type logdw_socket, file_type, mlstrustedobject;

View file

@ -86,7 +86,6 @@
/dev/socket/gps u:object_r:gps_socket:s0 /dev/socket/gps u:object_r:gps_socket:s0
/dev/socket/installd u:object_r:installd_socket:s0 /dev/socket/installd u:object_r:installd_socket:s0
/dev/socket/lmkd u:object_r:lmkd_socket:s0 /dev/socket/lmkd u:object_r:lmkd_socket:s0
/dev/logd_debug u:object_r:logd_debug:s0
/dev/socket/logd u:object_r:logd_socket:s0 /dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0 /dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0 /dev/socket/logdw u:object_r:logdw_socket:s0

10
logd.te
View file

@ -9,18 +9,14 @@ allow logd self:capability2 syslog;
allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write }; allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write };
allow logd kernel:system syslog_read; allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms; allow logd kmsg_device:chr_file w_file_perms;
allow logd system_data_file:file r_file_perms;
r_dir_file(logd, domain) r_dir_file(logd, domain)
userdebug_or_eng(`
# Debug output
type_transition logd device:file logd_debug;
allow logd device:dir rw_dir_perms;
allow logd logd_debug:file create_file_perms;
')
allow logd kernel:system syslog_mod; allow logd kernel:system syslog_mod;
control_logd(logd)
### ###
### Neverallow rules ### Neverallow rules
### ###

View file

@ -301,9 +301,6 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target
# Ability to write to android log # Ability to write to android log
# daemon via sockets # daemon via sockets
define(`write_logd', ` define(`write_logd', `
userdebug_or_eng(`
allow $1 logd_debug:file w_file_perms;
')
unix_socket_send($1, logdw, logd) unix_socket_send($1, logdw, logd)
allow $1 pmsg_device:chr_file w_file_perms; allow $1 pmsg_device:chr_file w_file_perms;
') ')