Allow all domains to read the log devices.

Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

adbd.te

@@ -20,7 +20,6 @@ allow adbd sdcard_type:file create_file_perms;
 
 allow adbd graphics_device:dir search;
 allow adbd graphics_device:chr_file r_file_perms;
-allow adbd log_device:chr_file r_file_perms;
 # XXX Run /system/bin/vdc to connect to vold.  Run in a separate domain?
 allow adbd system_file:file rx_file_perms;
 unix_socket_connect(adbd, vold, vold)

app.te

@@ -13,8 +13,6 @@ platform_app_domain(platform_app)
 net_domain(platform_app)
 # Access bluetooth.
 bluetooth_domain(platform_app)
-# Read logs.
-allow platform_app log_device:chr_file read;
 # Write to /cache.
 allow platform_app cache_file:dir rw_dir_perms;
 allow platform_app cache_file:file create_file_perms;
@@ -34,8 +32,6 @@ app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.
 net_domain(media_app)
-# Read logs.
-allow media_app log_device:chr_file read;
 # Access /dev/mtp_usb.
 allow media_app mtp_device:chr_file rw_file_perms;
 # Write to /cache.
@@ -50,8 +46,6 @@ platform_app_domain(shared_app)
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
-# Read logs.
-allow shared_app log_device:chr_file read;
 # ASEC
 r_dir_file(shared_app, asec_apk_file);
 
@@ -63,8 +57,6 @@ platform_app_domain(release_app)
 net_domain(release_app)
 # Access bluetooth.
 bluetooth_domain(release_app)
-# Read logs.
-allow release_app log_device:chr_file read;
 
 # Services with isolatedProcess=true in their manifest.
 # In order for isolated_apps to interact with apps that have levelFromUid=true
@@ -95,7 +87,6 @@ net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 allow untrusted_app tun_device:chr_file rw_file_perms;
 allow untrusted_app system_data_file:file { execute open };
-allow untrusted_app log_device:chr_file read;
 
 # Internal SDCard rw access.
 bool app_internal_sdcard_rw true;

debuggerd.te

@@ -17,4 +17,3 @@ allow debuggerd tombstone_data_file:dir create_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd domain:process { sigstop signal };
 allow debuggerd exec_type:file r_file_perms;
-allow debuggerd log_device:chr_file r_file_perms;

domain.te

@@ -50,7 +50,7 @@ allow domain binder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain powervr_device:chr_file rw_file_perms;
 allow domain log_device:dir search;
-allow domain log_device:chr_file w_file_perms;
+allow domain log_device:chr_file rw_file_perms;
 allow domain nv_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain urandom_device:chr_file r_file_perms;

shell.te

@@ -20,9 +20,6 @@ allow shell sdcard_type:file create_file_perms;
 r_dir_file(shell, apk_data_file)
 allow shell dalvikcache_data_file:file { write setattr };
 
-# Run logcat.
-allow shell log_device:chr_file r_file_perms;
-
 # Run app_process.
 # XXX Split into its own domain?
 app_domain(shell)