From 2b732237d1f8c49b6e93f7e90b0d0aa5b07e1a90 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Thu, 4 Apr 2013 11:27:27 -0400 Subject: [PATCH] Allow all domains to read the log devices. Read access to /dev/log/* is no longer restricted. Filtering on reads is performed per-uid by the kernel logger driver. Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf Signed-off-by: Stephen Smalley --- adbd.te | 1 - app.te | 9 --------- debuggerd.te | 1 - domain.te | 2 +- shell.te | 3 --- 5 files changed, 1 insertion(+), 15 deletions(-) diff --git a/adbd.te b/adbd.te index 074f35b00..67f3efee5 100644 --- a/adbd.te +++ b/adbd.te @@ -20,7 +20,6 @@ allow adbd sdcard_type:file create_file_perms; allow adbd graphics_device:dir search; allow adbd graphics_device:chr_file r_file_perms; -allow adbd log_device:chr_file r_file_perms; # XXX Run /system/bin/vdc to connect to vold. Run in a separate domain? allow adbd system_file:file rx_file_perms; unix_socket_connect(adbd, vold, vold) diff --git a/app.te b/app.te index 0533f327c..68f4fbe76 100644 --- a/app.te +++ b/app.te @@ -13,8 +13,6 @@ platform_app_domain(platform_app) net_domain(platform_app) # Access bluetooth. bluetooth_domain(platform_app) -# Read logs. -allow platform_app log_device:chr_file read; # Write to /cache. allow platform_app cache_file:dir rw_dir_perms; allow platform_app cache_file:file create_file_perms; @@ -34,8 +32,6 @@ app_domain(media_app) platform_app_domain(media_app) # Access the network. net_domain(media_app) -# Read logs. -allow media_app log_device:chr_file read; # Access /dev/mtp_usb. allow media_app mtp_device:chr_file rw_file_perms; # Write to /cache. @@ -50,8 +46,6 @@ platform_app_domain(shared_app) net_domain(shared_app) # Access bluetooth. bluetooth_domain(shared_app) -# Read logs. -allow shared_app log_device:chr_file read; # ASEC r_dir_file(shared_app, asec_apk_file); @@ -63,8 +57,6 @@ platform_app_domain(release_app) net_domain(release_app) # Access bluetooth. bluetooth_domain(release_app) -# Read logs. -allow release_app log_device:chr_file read; # Services with isolatedProcess=true in their manifest. # In order for isolated_apps to interact with apps that have levelFromUid=true @@ -95,7 +87,6 @@ net_domain(untrusted_app) bluetooth_domain(untrusted_app) allow untrusted_app tun_device:chr_file rw_file_perms; allow untrusted_app system_data_file:file { execute open }; -allow untrusted_app log_device:chr_file read; # Internal SDCard rw access. bool app_internal_sdcard_rw true; diff --git a/debuggerd.te b/debuggerd.te index 653d00396..a0041e6f5 100644 --- a/debuggerd.te +++ b/debuggerd.te @@ -17,4 +17,3 @@ allow debuggerd tombstone_data_file:dir create_dir_perms; allow debuggerd tombstone_data_file:file create_file_perms; allow debuggerd domain:process { sigstop signal }; allow debuggerd exec_type:file r_file_perms; -allow debuggerd log_device:chr_file r_file_perms; diff --git a/domain.te b/domain.te index 596cd428e..9124b0d7d 100644 --- a/domain.te +++ b/domain.te @@ -50,7 +50,7 @@ allow domain binder_device:chr_file rw_file_perms; allow domain ptmx_device:chr_file rw_file_perms; allow domain powervr_device:chr_file rw_file_perms; allow domain log_device:dir search; -allow domain log_device:chr_file w_file_perms; +allow domain log_device:chr_file rw_file_perms; allow domain nv_device:chr_file rw_file_perms; allow domain alarm_device:chr_file r_file_perms; allow domain urandom_device:chr_file r_file_perms; diff --git a/shell.te b/shell.te index 2f1dd439f..acf123bba 100644 --- a/shell.te +++ b/shell.te @@ -20,9 +20,6 @@ allow shell sdcard_type:file create_file_perms; r_dir_file(shell, apk_data_file) allow shell dalvikcache_data_file:file { write setattr }; -# Run logcat. -allow shell log_device:chr_file r_file_perms; - # Run app_process. # XXX Split into its own domain? app_domain(shell)