From 2b732237d1f8c49b6e93f7e90b0d0aa5b07e1a90 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Thu, 4 Apr 2013 11:27:27 -0400
Subject: [PATCH] Allow all domains to read the log devices.

Read access to /dev/log/* is no longer restricted.
Filtering on reads is performed per-uid by the kernel logger driver.

Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 adbd.te      | 1 -
 app.te       | 9 ---------
 debuggerd.te | 1 -
 domain.te    | 2 +-
 shell.te     | 3 ---
 5 files changed, 1 insertion(+), 15 deletions(-)

diff --git a/adbd.te b/adbd.te
index 074f35b00..67f3efee5 100644
--- a/adbd.te
+++ b/adbd.te
@@ -20,7 +20,6 @@ allow adbd sdcard_type:file create_file_perms;
 
 allow adbd graphics_device:dir search;
 allow adbd graphics_device:chr_file r_file_perms;
-allow adbd log_device:chr_file r_file_perms;
 # XXX Run /system/bin/vdc to connect to vold.  Run in a separate domain?
 allow adbd system_file:file rx_file_perms;
 unix_socket_connect(adbd, vold, vold)
diff --git a/app.te b/app.te
index 0533f327c..68f4fbe76 100644
--- a/app.te
+++ b/app.te
@@ -13,8 +13,6 @@ platform_app_domain(platform_app)
 net_domain(platform_app)
 # Access bluetooth.
 bluetooth_domain(platform_app)
-# Read logs.
-allow platform_app log_device:chr_file read;
 # Write to /cache.
 allow platform_app cache_file:dir rw_dir_perms;
 allow platform_app cache_file:file create_file_perms;
@@ -34,8 +32,6 @@ app_domain(media_app)
 platform_app_domain(media_app)
 # Access the network.
 net_domain(media_app)
-# Read logs.
-allow media_app log_device:chr_file read;
 # Access /dev/mtp_usb.
 allow media_app mtp_device:chr_file rw_file_perms;
 # Write to /cache.
@@ -50,8 +46,6 @@ platform_app_domain(shared_app)
 net_domain(shared_app)
 # Access bluetooth.
 bluetooth_domain(shared_app)
-# Read logs.
-allow shared_app log_device:chr_file read;
 # ASEC
 r_dir_file(shared_app, asec_apk_file);
 
@@ -63,8 +57,6 @@ platform_app_domain(release_app)
 net_domain(release_app)
 # Access bluetooth.
 bluetooth_domain(release_app)
-# Read logs.
-allow release_app log_device:chr_file read;
 
 # Services with isolatedProcess=true in their manifest.
 # In order for isolated_apps to interact with apps that have levelFromUid=true
@@ -95,7 +87,6 @@ net_domain(untrusted_app)
 bluetooth_domain(untrusted_app)
 allow untrusted_app tun_device:chr_file rw_file_perms;
 allow untrusted_app system_data_file:file { execute open };
-allow untrusted_app log_device:chr_file read;
 
 # Internal SDCard rw access.
 bool app_internal_sdcard_rw true;
diff --git a/debuggerd.te b/debuggerd.te
index 653d00396..a0041e6f5 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -17,4 +17,3 @@ allow debuggerd tombstone_data_file:dir create_dir_perms;
 allow debuggerd tombstone_data_file:file create_file_perms;
 allow debuggerd domain:process { sigstop signal };
 allow debuggerd exec_type:file r_file_perms;
-allow debuggerd log_device:chr_file r_file_perms;
diff --git a/domain.te b/domain.te
index 596cd428e..9124b0d7d 100644
--- a/domain.te
+++ b/domain.te
@@ -50,7 +50,7 @@ allow domain binder_device:chr_file rw_file_perms;
 allow domain ptmx_device:chr_file rw_file_perms;
 allow domain powervr_device:chr_file rw_file_perms;
 allow domain log_device:dir search;
-allow domain log_device:chr_file w_file_perms;
+allow domain log_device:chr_file rw_file_perms;
 allow domain nv_device:chr_file rw_file_perms;
 allow domain alarm_device:chr_file r_file_perms;
 allow domain urandom_device:chr_file r_file_perms;
diff --git a/shell.te b/shell.te
index 2f1dd439f..acf123bba 100644
--- a/shell.te
+++ b/shell.te
@@ -20,9 +20,6 @@ allow shell sdcard_type:file create_file_perms;
 r_dir_file(shell, apk_data_file)
 allow shell dalvikcache_data_file:file { write setattr };
 
-# Run logcat.
-allow shell log_device:chr_file r_file_perms;
-
 # Run app_process.
 # XXX Split into its own domain?
 app_domain(shell)
-- 
GitLab