Add sepolicy for logd and logcat services

The logd binder service is on logd side.
The logcat binder service is on system_server side.
These two binder services facilitate the binder RPC
between logd and system_server.

Bug: 197901557
Test: manual
Change-Id: I5f08bbb44a88dc72302331ab11c7d54f94db16ac
This commit is contained in:
Wenhao Wang 2022-01-11 15:16:12 -08:00
parent 70cd2da646
commit 6a656c0b67
4 changed files with 17 additions and 1 deletions

View file

@ -10,6 +10,8 @@ get_prop(logd, device_logging_prop)
neverallow logd {
file_type
-runtime_event_log_tags_file
# shell_data_file access is needed to dump bugreports
-shell_data_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
@ -39,3 +41,11 @@ neverallow {
userdebug_or_eng(`-su')
-system_app
} runtime_event_log_tags_file:file no_rw_file_perms;
# Only binder communication between logd and system_server is allowed
binder_use(logd)
binder_service(logd)
binder_call(logd, system_server)
add_service(logd, logd_service)
allow logd logcat_service:service_manager find;

View file

@ -1,8 +1,11 @@
type attention_service, system_server_service, service_manager_type;
type compos_internal_service, service_manager_type;
type compos_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
type logcat_service, system_server_service, service_manager_type;
type logd_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
@ -13,4 +16,3 @@ type statscompanion_service, system_server_service, service_manager_type;
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
type compos_internal_service, service_manager_type;

View file

@ -198,6 +198,8 @@ locale u:object_r:locale_service:s0
location u:object_r:location_service:s0
location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
lock_settings u:object_r:lock_settings_service:s0
logcat u:object_r:logcat_service:s0
logd u:object_r:logd_service:s0
looper_stats u:object_r:looper_stats_service:s0
lpdump_service u:object_r:lpdump_service:s0
media.aaudio u:object_r:audioserver_service:s0

View file

@ -277,6 +277,7 @@ binder_call(system_server, statsd)
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
binder_call(system_server, vold)
binder_call(system_server, logd)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
binder_service(system_server)
@ -881,6 +882,7 @@ allow system_server surfaceflinger_service:service_manager find;
allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
allow system_server logd_service:service_manager find;
userdebug_or_eng(`
allow system_server profcollectd_service:service_manager find;
')