Merge "Add sepolicy for logd and logcat services"

2022-01-14 20:44:35 +00:00 · 2022-01-14 20:44:35 +00:00 · d6a5b604ce
commit d6a5b604ce
parent 52e44e8022 6a656c0b67
4 changed files with 17 additions and 1 deletions
--- a/private/logd.te
+++ b/private/logd.te
@ -10,6 +10,8 @@ get_prop(logd, device_logging_prop)
 neverallow logd {
  file_type
  -runtime_event_log_tags_file
+  # shell_data_file access is needed to dump bugreports
+  -shell_data_file
  userdebug_or_eng(`-coredump_file -misc_logd_file')
  with_native_coverage(`-method_trace_data_file')
 }:file { create write append };
@ -39,3 +41,11 @@ neverallow {
  userdebug_or_eng(`-su')
  -system_app
 } runtime_event_log_tags_file:file no_rw_file_perms;
+
+# Only binder communication between logd and system_server is allowed
+binder_use(logd)
+binder_service(logd)
+binder_call(logd, system_server)
+
+add_service(logd, logd_service)
+allow logd logcat_service:service_manager find;
--- a/private/service.te
+++ b/private/service.te
@ -1,8 +1,11 @@
 type attention_service,             system_server_service, service_manager_type;
+type compos_internal_service,       service_manager_type;
 type compos_service,                service_manager_type;
 type dynamic_system_service,        system_api_service, system_server_service, service_manager_type;
 type gsi_service,                   service_manager_type;
 type incidentcompanion_service,     app_api_service, system_api_service, system_server_service, service_manager_type;
+type logcat_service,                system_server_service, service_manager_type;
+type logd_service,                  service_manager_type;
 type mediatuner_service,            app_api_service, service_manager_type;
 type profcollectd_service,          service_manager_type;
 type resolver_service,              system_server_service, service_manager_type;
@ -13,4 +16,3 @@ type statscompanion_service,        system_server_service, service_manager_type;
 type statsmanager_service,          system_api_service, system_server_service, service_manager_type;
 type tracingproxy_service,          system_server_service, service_manager_type;
 type uce_service,                   service_manager_type;
-type compos_internal_service,       service_manager_type;
--- a/private/service_contexts
+++ b/private/service_contexts
@ -198,6 +198,8 @@ locale                                    u:object_r:locale_service:s0
 location                                  u:object_r:location_service:s0
 location_time_zone_manager                u:object_r:location_time_zone_manager_service:s0
 lock_settings                             u:object_r:lock_settings_service:s0
+logcat                                    u:object_r:logcat_service:s0
+logd                                      u:object_r:logd_service:s0
 looper_stats                              u:object_r:looper_stats_service:s0
 lpdump_service                            u:object_r:lpdump_service:s0
 media.aaudio                              u:object_r:audioserver_service:s0
--- a/private/system_server.te
+++ b/private/system_server.te
@ -277,6 +277,7 @@ binder_call(system_server, statsd)
 binder_call(system_server, storaged)
 binder_call(system_server, update_engine)
 binder_call(system_server, vold)
+binder_call(system_server, logd)
 binder_call(system_server, wificond)
 binder_call(system_server, wpantund)
 binder_service(system_server)
@ -881,6 +882,7 @@ allow system_server surfaceflinger_service:service_manager find;
 allow system_server update_engine_service:service_manager find;
 allow system_server vold_service:service_manager find;
 allow system_server wifinl80211_service:service_manager find;
+allow system_server logd_service:service_manager find;
 userdebug_or_eng(`
  allow system_server profcollectd_service:service_manager find;
 ')