f46d7a26c1
the cgroups v2 uid/gid hierarchy will replace cgroup for all sepolicy rules. For this reason, old rules have to be duplicated to cgroup_v2, plus some rules must be added to allow the ownership change for cgroup files created by init and zygote. Test: booted device, verified correct access from init, system_server and zygote to the uid/pid cgroup files Change-Id: I80c2a069b0fb409b442e1160148ddc48e31d6809
30 lines
1.2 KiB
Text
30 lines
1.2 KiB
Text
typeattribute logpersist coredomain;
|
|
|
|
# android debug log storage in logpersist domains (eng and userdebug only)
|
|
userdebug_or_eng(`
|
|
|
|
r_dir_file(logpersist, cgroup)
|
|
r_dir_file(logpersist, cgroup_v2)
|
|
|
|
allow logpersist misc_logd_file:file create_file_perms;
|
|
allow logpersist misc_logd_file:dir rw_dir_perms;
|
|
|
|
allow logpersist self:global_capability_class_set sys_nice;
|
|
allow logpersist pstorefs:dir search;
|
|
allow logpersist pstorefs:file r_file_perms;
|
|
|
|
control_logd(logpersist)
|
|
unix_socket_connect(logpersist, logdr, logd)
|
|
read_runtime_log_tags(logpersist)
|
|
|
|
')
|
|
|
|
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
|
|
neverallow logpersist {
|
|
file_type
|
|
userdebug_or_eng(`-misc_logd_file -coredump_file')
|
|
with_native_coverage(`-method_trace_data_file')
|
|
}:file { create write append };
|
|
neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
|
|
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
|
|
neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
|