They are introduced for the device owner process logging feature.
That is, for enterprise-owned devices with device owner app provisioned,
the device owner may choose to turn on additional device-wide logging for
auditing and intrusion detection purposes. Logging includes histories of
app process startup, commands issued over ADB and lockscreen unlocking
attempts. These logs will available to the device owner for analysis,
potentially shipped to a remote server if it chooses to.
ro.device_owner will be a master switch to turn off logging, if the device
has no device owner provisioned. persist.logd.security is a switch that
device owner can toggle (via DevicePoliyManager) to enable/disable logging.
Writing to both properties should be only allowed by the system server.
Bug: 22860162
Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038
Motivation: Domain is overly permissive. Start removing permissions
from domain and assign them to the domain_deprecated attribute.
Domain_deprecated and domain can initially be assigned to all
domains. The goal is to not assign domain_deprecated to new domains
and to start removing domain_deprecated where it is not required or
reassigning the appropriate permissions to the inheriting domain
when necessary.
Bug: 25433265
Change-Id: I8b11cb137df7bdd382629c98d916a73fe276413c
For userdebug and eng builds enforce that:
- only logd and shell domains may access logd files
- logd is only allowed to write to /data/misc/logd
Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a
- Enable logpersistd to write to /data/misc/logd
- Enable logpersistd to read from pstore to help complete any content
lost by reboot disruption
- Enable shell readonly ability logpersistd files in /data/misc/logd
- Enable logcat -f when placed into logd context to act as a
logpersistd (nee logcatd) agent, restrict access to run only in
userdebug or eng
Bug: 19608716
Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
- allow access for /data/system/packages.xml.
- deprecate access to /dev/logd_debug (can use /dev/kmsg for debugging)
- allow access to /dev/socket/logd for 'logd --reinit'
Bug: 19681572
Change-Id: Iac57fff1aabc3b061ad2cc27969017797f8bef54
When using MLS (i.e. enabling levelFrom= in seapp_contexts),
certain domains and types must be exempted from the normal
constraints defined in the mls file. Beyond the current
set, adbd, logd, mdnsd, netd, and servicemanager need to
be able to read/write to any level in order to communicate
with apps running with any level, and the logdr and logdw
sockets need to be writable by apps running with any level.
This change has no impact unless levelFrom= is specified in
seapp_contexts, so by itself it is a no-op.
Change-Id: I36ed382b04a60a472e245a77055db294d3e708c3
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Replace * or any permission set containing create with
create_socket_perms or create_stream_socket_perms.
Add net_domain() to all domains using network sockets and
delete rules already covered by domain.te or net.te.
For netlink_route_socket, only nlmsg_write needs to be separately
granted to specific domains that are permitted to modify the routing
table. Clarification: read/write permissions are just ability to
perform read/recv() or write/send() on the socket, whereas nlmsg_read/
nlmsg_write permissions control ability to observe or modify the
underlying kernel state accessed via the socket.
See security/selinux/nlmsgtab.c in the kernel for the mapping of
netlink message types to nlmsg_read or nlmsg_write.
Delete legacy rule for b/12061011.
This change does not touch any rules where only read/write were allowed
to a socket created by another domain (inherited across exec or
received across socket or binder IPC). We may wish to rewrite some or all
of those rules with the rw_socket_perms macro but that is a separate
change.
Change-Id: Ib0637ab86f6d388043eff928e5d96beb02e5450e
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
- Add write_logd, read_logd and control_logd macros added along
with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
deal with fd inheritance. ToDo: investigate means to allow
references to close, and reopen in context of application
or call setsockcreatecon() to label them in child context.
Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8