From 0c8286fe74d878243e850b8c1ec50ea5312b1a48 Mon Sep 17 00:00:00 2001
From: Rubin Xu <rubinxu@google.com>
Date: Mon, 4 Jan 2016 15:20:45 +0000
Subject: [PATCH] SELinux rule for ro.device_owner and persist.logd.security

They are introduced for the device owner process logging feature.
That is, for enterprise-owned devices with device owner app provisioned,
the device owner may choose to turn on additional device-wide logging for
auditing and intrusion detection purposes. Logging includes histories of
app process startup, commands issued over ADB and lockscreen unlocking
attempts. These logs will available to the device owner for analysis,
potentially shipped to a remote server if it chooses to.

ro.device_owner will be a master switch to turn off logging, if the device
has no device owner provisioned. persist.logd.security is a switch that
device owner can toggle (via DevicePoliyManager) to enable/disable logging.
Writing to both properties should be only allowed by the system server.

Bug: 22860162
Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038
---
 adbd.te           | 3 +++
 logd.te           | 3 +++
 property.te       | 1 +
 property_contexts | 5 +++++
 system_server.te  | 1 +
 5 files changed, 13 insertions(+)

diff --git a/adbd.te b/adbd.te
index 76a0febd1..2734a331a 100644
--- a/adbd.te
+++ b/adbd.te
@@ -49,6 +49,9 @@ set_prop(adbd, shell_prop)
 set_prop(adbd, powerctl_prop)
 set_prop(adbd, ffs_prop)
 
+# Access device logging gating property
+get_prop(adbd, device_logging_prop)
+
 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;
 
diff --git a/logd.te b/logd.te
index ab09bf50d..9b1fdd372 100644
--- a/logd.te
+++ b/logd.te
@@ -18,6 +18,9 @@ userdebug_or_eng(`
 allow logd pstorefs:dir search;
 allow logd pstorefs:file r_file_perms;
 
+# Access device logging gating property
+get_prop(logd, device_logging_prop)
+
 r_dir_file(logd, domain)
 
 allow logd kernel:system syslog_mod;
diff --git a/property.te b/property.te
index 5d6714203..94567ed75 100644
--- a/property.te
+++ b/property.te
@@ -31,5 +31,6 @@ type powerctl_prop, property_type, core_property_type;
 type nfc_prop, property_type, core_property_type;
 type dalvik_prop, property_type, core_property_type;
 type config_prop, property_type, core_property_type;
+type device_logging_prop, property_type;
 
 allow property_type tmpfs:filesystem associate;
diff --git a/property_contexts b/property_contexts
index c1ff6d727..47c3cf746 100644
--- a/property_contexts
+++ b/property_contexts
@@ -39,12 +39,17 @@ service.adb.tcp.port    u:object_r:shell_prop:s0
 persist.audio.          u:object_r:audio_prop:s0
 persist.debug.          u:object_r:persist_debug_prop:s0
 persist.logd.           u:object_r:logd_prop:s0
+persist.logd.security   u:object_r:device_logging_prop:s0
 persist.log.tag         u:object_r:logd_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.service.        u:object_r:system_prop:s0
 persist.service.bdroid. u:object_r:bluetooth_prop:s0
 persist.security.       u:object_r:system_prop:s0
 
+# Boolean property set by system server upon boot indicating
+# if device owner is provisioned.
+ro.device_owner         u:object_r:device_logging_prop:s0
+
 # selinux non-persistent properties
 selinux.restorecon_recursive   u:object_r:restorecon_prop:s0
 selinux.                       u:object_r:security_prop:s0
diff --git a/system_server.te b/system_server.te
index 97eb41584..d0cb2298c 100644
--- a/system_server.te
+++ b/system_server.te
@@ -288,6 +288,7 @@ set_prop(system_server, system_radio_prop)
 set_prop(system_server, debug_prop)
 set_prop(system_server, powerctl_prop)
 set_prop(system_server, fingerprint_prop)
+set_prop(system_server, device_logging_prop)
 
 # ctl interface
 set_prop(system_server, ctl_default_prop)
-- 
GitLab