Skip to content
Snippets Groups Projects
Commit 23f95178 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

Don't grant domain device:dir rw_dir_perms

write_logd() is allowed for domain, which means that all domains
are permitted read/write access to /dev. That's overly permissive
and causes substantial differences between user and userdebug/eng
devices.

Remove domain device:dir rw_dir_perms access. It's not needed.

Allow all domains to write/append to logd_debug. logd is responsible
for creating this file if need be. Remove logd_debug file create
permissions. This also eliminates the need for the type_transition
rules.

Bug: 15419803

(cherry picked from commit 2bcea0a3)

Change-Id: If430615a3f3118124be331da518afc41f27aab5f
parent cb182aba
No related branches found
No related tags found
No related merge requests found
...@@ -321,10 +321,7 @@ define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false ...@@ -321,10 +321,7 @@ define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false
# daemon via sockets # daemon via sockets
define(`write_logd', ` define(`write_logd', `
userdebug_or_eng(` userdebug_or_eng(`
# Debug output allow $1 logd_debug:file w_file_perms;
type_transition $1 device:file logd_debug;
allow $1 device:dir rw_dir_perms;
allow $1 logd_debug:file create_file_perms;
') ')
unix_socket_send($1, logdw, logd) unix_socket_send($1, logdw, logd)
') ')
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment