init: logpersist access on debug

03-25 09:31:22.996 1 1 W init : type=1400 audit(0.0:8): \ avc: denied { getattr } for path="/data/misc/logd/logcat.052" \ dev="dm-2" ino=124778 scontext=u:r:init:s0 \ tcontext=u:object_r:misc_logd_file:s0 tclass=file permissive=0 . . . Introduced a new macro not_userdebug_nor_eng() Change-Id: I9c3a952c265cac096342493598fff7d41604ca45

init: logpersist access on debug
121f5bfd · Mark Salyzyn · f2d07904 · 121f5bfd · 121f5bfd · 121f5bfd
Commit 121f5bfd authored 9 years ago by Mark Salyzyn
--- a/domain.te
+++ b/domain.te
@@ -491,7 +491,7 @@ neverallow * ~servicemanager:service_manager list;
 neverallow * ~service_manager_type:service_manager { add find };
 # logpersist is only allowed on userdebug/eng builds
-neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file rw_file_perms;
+neverallow { domain userdebug_or_eng(`-logd -shell -init') } misc_logd_file:file rw_file_perms;
 # Prevent assigning non property types to properties
 neverallow * ~property_type:property_service set;

--- a/init.te
+++ b/init.te
@@ -100,7 +100,7 @@ allow init rootfs:{ dir file } relabelfrom;
 allow init self:capability { chown fowner fsetid };
 allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
 allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file not_userdebug_nor_eng(`-misc_logd_file') }:file { create getattr open read write setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;

--- a/te_macros
+++ b/te_macros
@@ -278,6 +278,7 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, ))
 # SELinux rules which apply only to userdebug or eng builds
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
+define(`not_userdebug_nor_eng', ifelse(target_build_variant, `eng', , ifelse(target_build_variant, `userdebug', , $1)))
 define(`eng', ifelse(target_build_variant, `eng', $1))
 #####################################