logd: restrict access to /dev/event-log-tags
Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
This commit is contained in:
Mark Salyzyn
parent
04641948c0
commit
d33a9a194b
18 changed files with 74 additions and 1 deletions
|
|
@ -75,6 +75,7 @@
|
|||
/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
|
||||
/dev/device-mapper u:object_r:dm_device:s0
|
||||
/dev/eac u:object_r:audio_device:s0
|
||||
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
|
||||
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
|
||||
/dev/full u:object_r:full_device:s0
|
||||
/dev/fuse u:object_r:fuse_device:s0
|
||||
|
|
|
|||
|
|
@ -5,4 +5,34 @@ init_daemon_domain(logd)
|
|||
# logd is not allowed to write anywhere other than /data/misc/logd, and then
|
||||
# only on userdebug or eng builds
|
||||
# TODO: deal with tmpfs_domain pub/priv split properly
|
||||
neverallow logd { file_type -logd_tmpfs userdebug_or_eng(`-coredump_file') }:file { create write append };
|
||||
neverallow logd {
|
||||
file_type
|
||||
-logd_tmpfs
|
||||
-runtime_event_log_tags_file
|
||||
userdebug_or_eng(`-coredump_file')
|
||||
}:file { create write append };
|
||||
|
||||
# protect the event-log-tags file
|
||||
neverallow {
|
||||
domain
|
||||
-appdomain # covered below
|
||||
-bootstat
|
||||
-dumpstate
|
||||
-logd
|
||||
userdebug_or_eng(`-logpersist')
|
||||
-servicemanager
|
||||
-system_server
|
||||
-surfaceflinger
|
||||
-zygote
|
||||
} runtime_event_log_tags_file:file no_rw_file_perms;
|
||||
|
||||
neverallow {
|
||||
appdomain
|
||||
-bluetooth
|
||||
-platform_app
|
||||
-priv_app
|
||||
-radio
|
||||
-shell
|
||||
userdebug_or_eng(`-su')
|
||||
-system_app
|
||||
} runtime_event_log_tags_file:file no_rw_file_perms;
|
||||
|
|
|
|||
|
|
@ -12,6 +12,7 @@ userdebug_or_eng(`
|
|||
|
||||
control_logd(logpersist)
|
||||
unix_socket_connect(logpersist, logdr, logd)
|
||||
read_runtime_log_tags(logpersist)
|
||||
|
||||
')
|
||||
|
||||
|
|
|
|||
|
|
@ -59,3 +59,5 @@ allow platform_app preloads_data_file:dir r_dir_perms;
|
|||
# Access to ephemeral APKs
|
||||
allow platform_app ephemeral_apk_data_file:dir r_dir_perms;
|
||||
allow platform_app ephemeral_apk_data_file:file r_file_perms;
|
||||
|
||||
read_runtime_log_tags(platform_app)
|
||||
|
|
|
|||
|
|
@ -110,6 +110,8 @@ allow priv_app functionfs:file rw_file_perms;
|
|||
# TODO: narrow this to just MediaProvider
|
||||
allow priv_app mnt_media_rw_file:dir search;
|
||||
|
||||
read_runtime_log_tags(priv_app)
|
||||
|
||||
###
|
||||
### neverallow rules
|
||||
###
|
||||
|
|
|
|||
|
|
@ -1 +1,3 @@
|
|||
app_domain(radio)
|
||||
|
||||
read_runtime_log_tags(radio)
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
# type_transition must be private policy the domain_trans rules could stay
|
||||
# public, but conceptually should go with this
|
||||
init_daemon_domain(servicemanager)
|
||||
|
||||
read_runtime_log_tags(servicemanager)
|
||||
|
|
|
|||
|
|
@ -79,3 +79,4 @@ allow system_app keystore:keystore_key {
|
|||
r_dir_file(system_app, sysfs_type)
|
||||
|
||||
control_logd(system_app)
|
||||
read_runtime_log_tags(system_app)
|
||||
|
|
|
|||
|
|
@ -4,6 +4,8 @@ typeattribute zygote mlstrustedsubject;
|
|||
|
||||
init_daemon_domain(zygote)
|
||||
|
||||
read_runtime_log_tags(zygote)
|
||||
|
||||
# Override DAC on files and switch uid/gid.
|
||||
allow zygote self:capability { dac_override setgid setuid fowner chown };
|
||||
|
||||
|
|
|
|||
|
|
@ -63,6 +63,8 @@ hwbinder_use(bluetooth)
|
|||
binder_call(bluetooth, hal_bluetooth)
|
||||
binder_call(bluetooth, hal_telephony)
|
||||
|
||||
read_runtime_log_tags(bluetooth)
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
|
|
|||
|
|
@ -2,6 +2,8 @@
|
|||
type bootstat, domain;
|
||||
type bootstat_exec, exec_type, file_type;
|
||||
|
||||
read_runtime_log_tags(bootstat)
|
||||
|
||||
# Allow persistent storage in /data/misc/bootstat.
|
||||
allow bootstat bootstat_data_file:dir rw_dir_perms;
|
||||
allow bootstat bootstat_data_file:file create_file_perms;
|
||||
|
|
|
|||
|
|
@ -130,6 +130,7 @@ allow dumpstate gpu_device:chr_file rw_file_perms;
|
|||
# logd access
|
||||
read_logd(dumpstate)
|
||||
control_logd(dumpstate)
|
||||
read_runtime_log_tags(dumpstate)
|
||||
|
||||
# Read /proc/net
|
||||
allow dumpstate proc_net:file r_file_perms;
|
||||
|
|
|
|||
|
|
@ -76,6 +76,8 @@ type app_fusefs, fs_type, contextmount_type;
|
|||
type unlabeled, file_type;
|
||||
# Default type for anything under /system.
|
||||
type system_file, file_type;
|
||||
# Speedup access for trusted applications to the runtime event tags
|
||||
type runtime_event_log_tags_file, file_type;
|
||||
# Type for /system/*/libart*
|
||||
type libart_file, file_type;
|
||||
# Type for /system/bin/logcat.
|
||||
|
|
|
|||
|
|
@ -138,6 +138,7 @@ allow init {
|
|||
allow init {
|
||||
file_type
|
||||
-app_data_file
|
||||
-runtime_event_log_tags_file
|
||||
-exec_type
|
||||
-keystore_data_file
|
||||
-misc_logd_file
|
||||
|
|
|
|||
|
|
@ -23,6 +23,15 @@ r_dir_file(logd, domain)
|
|||
allow logd kernel:system syslog_mod;
|
||||
|
||||
control_logd(logd)
|
||||
read_runtime_log_tags(logd)
|
||||
|
||||
allow runtime_event_log_tags_file tmpfs:filesystem associate;
|
||||
# Typically harmlessly blindly trying to access via liblog
|
||||
# event tag mapping while in the untrusted_app domain.
|
||||
# Access for that domain is controlled and gated via the
|
||||
# event log tag service (albeit at a performance penalty,
|
||||
# expected to be locally cached).
|
||||
dontaudit domain runtime_event_log_tags_file:file { open read };
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
|
|
@ -47,3 +56,6 @@ neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
|
|||
# Only init is allowed to enter the logd domain via exec()
|
||||
neverallow { domain -init } logd:process transition;
|
||||
neverallow * logd:process dyntransition;
|
||||
|
||||
# protect the event-log-tags file
|
||||
neverallow * runtime_event_log_tags_file:file no_w_file_perms;
|
||||
|
|
|
|||
|
|
@ -4,6 +4,8 @@ type surfaceflinger_exec, exec_type, file_type;
|
|||
|
||||
typeattribute surfaceflinger mlstrustedsubject;
|
||||
|
||||
read_runtime_log_tags(surfaceflinger)
|
||||
|
||||
# Perform HwBinder IPC.
|
||||
hwbinder_use(surfaceflinger)
|
||||
binder_call(surfaceflinger, hal_graphics_allocator)
|
||||
|
|
|
|||
|
|
@ -464,6 +464,7 @@ allow system_server zygote:unix_dgram_socket write;
|
|||
|
||||
# Read from log daemon.
|
||||
read_logd(system_server)
|
||||
read_runtime_log_tags(system_server)
|
||||
|
||||
# Be consistent with DAC permissions. Allow system_server to write to
|
||||
# /sys/module/lowmemorykiller/parameters/adj
|
||||
|
|
|
|||
|
|
@ -344,6 +344,13 @@ allow $1 logcat_exec:file rx_file_perms;
|
|||
unix_socket_connect($1, logdr, logd)
|
||||
')
|
||||
|
||||
#####################################
|
||||
# read_runtime_log_tags(domain)
|
||||
# ability to directly map the runtime event log tags
|
||||
define(`read_runtime_log_tags', `
|
||||
allow $1 runtime_event_log_tags_file:file r_file_perms;
|
||||
')
|
||||
|
||||
#####################################
|
||||
# control_logd(domain)
|
||||
# Ability to control
|
||||
|
|
|
|||
Loading…
Reference in a new issue