logd: restrict access to /dev/event-log-tags
am: d33a9a194b
Change-Id: I8f95628067641e773623603681f226dab4939f2a
This commit is contained in:
Mark Salyzyn
android-build-merger
commit
650c101f51
18 changed files with 74 additions and 1 deletions
|
|
@ -75,6 +75,7 @@
|
|||
/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
|
||||
/dev/device-mapper u:object_r:dm_device:s0
|
||||
/dev/eac u:object_r:audio_device:s0
|
||||
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
|
||||
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
|
||||
/dev/full u:object_r:full_device:s0
|
||||
/dev/fuse u:object_r:fuse_device:s0
|
||||
|
|
|
|||
|
|
@ -5,4 +5,34 @@ init_daemon_domain(logd)
|
|||
# logd is not allowed to write anywhere other than /data/misc/logd, and then
|
||||
# only on userdebug or eng builds
|
||||
# TODO: deal with tmpfs_domain pub/priv split properly
|
||||
neverallow logd { file_type -logd_tmpfs userdebug_or_eng(`-coredump_file') }:file { create write append };
|
||||
neverallow logd {
|
||||
file_type
|
||||
-logd_tmpfs
|
||||
-runtime_event_log_tags_file
|
||||
userdebug_or_eng(`-coredump_file')
|
||||
}:file { create write append };
|
||||
|
||||
# protect the event-log-tags file
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain # covered below
|
||||
-bootstat
|
||||
-dumpstate
|
||||
-logd
|
||||
userdebug_or_eng(`-logpersist')
|
||||
-servicemanager
|
||||
-system_server
|
||||
-surfaceflinger
|
||||
-zygote
|
||||
} runtime_event_log_tags_file:file no_rw_file_perms;
|
||||
|
||||
neverallow {
|
||||
appdomain
|
||||
-bluetooth
|
||||
-platform_app
|
||||
-priv_app
|
||||
-radio
|
||||
-shell
|
||||
userdebug_or_eng(`-su')
|
||||
-system_app
|
||||
} runtime_event_log_tags_file:file no_rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ userdebug_or_eng(`
|
|||
|
||||
control_logd(logpersist)
|
||||
unix_socket_connect(logpersist, logdr, logd)
|
||||
read_runtime_log_tags(logpersist)
|
||||
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -59,3 +59,5 @@ allow platform_app preloads_data_file:dir r_dir_perms;
|
|||
# Access to ephemeral APKs
|
||||
allow platform_app ephemeral_apk_data_file:dir r_dir_perms;
|
||||
allow platform_app ephemeral_apk_data_file:file r_file_perms;
|
||||
|
||||
read_runtime_log_tags(platform_app)
|
||||
|
|
|
|||
|
|
@ -110,6 +110,8 @@ allow priv_app functionfs:file rw_file_perms;
|
|||
# TODO: narrow this to just MediaProvider
|
||||
allow priv_app mnt_media_rw_file:dir search;
|
||||
|
||||
read_runtime_log_tags(priv_app)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
|||
|
|
@ -1 +1,3 @@
|
|||
app_domain(radio)
|
||||
|
||||
read_runtime_log_tags(radio)
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
# type_transition must be private policy the domain_trans rules could stay
|
||||
# public, but conceptually should go with this
|
||||
init_daemon_domain(servicemanager)
|
||||
|
||||
read_runtime_log_tags(servicemanager)
|
||||
|
|
|
|||
|
|
@ -79,3 +79,4 @@ allow system_app keystore:keystore_key {
|
|||
r_dir_file(system_app, sysfs_type)
|
||||
|
||||
control_logd(system_app)
|
||||
read_runtime_log_tags(system_app)
|
||||
|
|
|
|||
|
|
@ -4,6 +4,8 @@ typeattribute zygote mlstrustedsubject;
|
|||
|
||||
init_daemon_domain(zygote)
|
||||
|
||||
read_runtime_log_tags(zygote)
|
||||
|
||||
# Override DAC on files and switch uid/gid.
|
||||
allow zygote self:capability { dac_override setgid setuid fowner chown };
|
||||
|
||||
|
|
|
|||
|
|
@ -63,6 +63,8 @@ hwbinder_use(bluetooth)
|
|||
binder_call(bluetooth, hal_bluetooth)
|
||||
binder_call(bluetooth, hal_telephony)
|
||||
|
||||
read_runtime_log_tags(bluetooth)
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
type bootstat, domain;
|
||||
type bootstat_exec, exec_type, file_type;
|
||||
|
||||
read_runtime_log_tags(bootstat)
|
||||
|
||||
# Allow persistent storage in /data/misc/bootstat.
|
||||
allow bootstat bootstat_data_file:dir rw_dir_perms;
|
||||
allow bootstat bootstat_data_file:file create_file_perms;
|
||||
|
|
|
|||
|
|
@ -130,6 +130,7 @@ allow dumpstate gpu_device:chr_file rw_file_perms;
|
|||
# logd access
|
||||
read_logd(dumpstate)
|
||||
control_logd(dumpstate)
|
||||
read_runtime_log_tags(dumpstate)
|
||||
|
||||
# Read /proc/net
|
||||
allow dumpstate proc_net:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -76,6 +76,8 @@ type app_fusefs, fs_type, contextmount_type;
|
|||
type unlabeled, file_type;
|
||||
# Default type for anything under /system.
|
||||
type system_file, file_type;
|
||||
# Speedup access for trusted applications to the runtime event tags
|
||||
type runtime_event_log_tags_file, file_type;
|
||||
# Type for /system/*/libart*
|
||||
type libart_file, file_type;
|
||||
# Type for /system/bin/logcat.
|
||||
|
|
|
|||
|
|
@ -138,6 +138,7 @@ allow init {
|
|||
allow init {
|
||||
file_type
|
||||
-app_data_file
|
||||
-runtime_event_log_tags_file
|
||||
-exec_type
|
||||
-keystore_data_file
|
||||
-misc_logd_file
|
||||
|
|
|
|||
|
|
@ -23,6 +23,15 @@ r_dir_file(logd, domain)
|
|||
allow logd kernel:system syslog_mod;
|
||||
|
||||
control_logd(logd)
|
||||
read_runtime_log_tags(logd)
|
||||
|
||||
allow runtime_event_log_tags_file tmpfs:filesystem associate;
|
||||
# Typically harmlessly blindly trying to access via liblog
|
||||
# event tag mapping while in the untrusted_app domain.
|
||||
# Access for that domain is controlled and gated via the
|
||||
# event log tag service (albeit at a performance penalty,
|
||||
# expected to be locally cached).
|
||||
dontaudit domain runtime_event_log_tags_file:file { open read };
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
|
|
@ -47,3 +56,6 @@ neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
|
|||
# Only init is allowed to enter the logd domain via exec()
|
||||
neverallow { domain -init } logd:process transition;
|
||||
neverallow * logd:process dyntransition;
|
||||
|
||||
# protect the event-log-tags file
|
||||
neverallow * runtime_event_log_tags_file:file no_w_file_perms;
|
||||
|
|
|
|||
|
|
@ -4,6 +4,8 @@ type surfaceflinger_exec, exec_type, file_type;
|
|||
|
||||
typeattribute surfaceflinger mlstrustedsubject;
|
||||
|
||||
read_runtime_log_tags(surfaceflinger)
|
||||
|
||||
# Perform HwBinder IPC.
|
||||
hwbinder_use(surfaceflinger)
|
||||
binder_call(surfaceflinger, hal_graphics_allocator)
|
||||
|
|
|
|||
|
|
@ -464,6 +464,7 @@ allow system_server zygote:unix_dgram_socket write;
|
|||
|
||||
# Read from log daemon.
|
||||
read_logd(system_server)
|
||||
read_runtime_log_tags(system_server)
|
||||
|
||||
# Be consistent with DAC permissions. Allow system_server to write to
|
||||
# /sys/module/lowmemorykiller/parameters/adj
|
||||
|
|
|
|||
|
|
@ -344,6 +344,13 @@ allow $1 logcat_exec:file rx_file_perms;
|
|||
unix_socket_connect($1, logdr, logd)
|
||||
')
|
||||
|
||||
#####################################
|
||||
# read_runtime_log_tags(domain)
|
||||
# ability to directly map the runtime event log tags
|
||||
define(`read_runtime_log_tags', `
|
||||
allow $1 runtime_event_log_tags_file:file r_file_perms;
|
||||
')
|
||||
|
||||
#####################################
|
||||
# control_logd(domain)
|
||||
# Ability to control
|
||||
|
|
|
|||
Loading…
Reference in a new issue