Don't grant domain device:dir rw_dir_perms

write_logd() is allowed for domain, which means that all domains are permitted read/write access to /dev. That's overly permissive and causes substantial differences between user and userdebug/eng devices. Remove domain device:dir rw_dir_perms access. It's not needed. Allow all domains to write/append to logd_debug. logd is responsible for creating this file if need be. Remove logd_debug file create permissions. This also eliminates the need for the type_transition rules. Bug: 15419803 Change-Id: I7dc3c4df8d413c649c24ae7bc15546d64226ce3b

Don't grant domain device:dir rw_dir_perms
2bcea0a3 · Nick Kralevich · dde428a9 · 2bcea0a3
Commit 2bcea0a3 authored 10 years ago by Nick Kralevich
--- a/te_macros
+++ b/te_macros
@@ -337,10 +337,7 @@ define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false
 # daemon via sockets
 define(`write_logd', `
 userdebug_or_eng(`
-  # Debug output
-  type_transition $1 device:file logd_debug;
-  allow $1 device:dir rw_dir_perms;
-  allow $1 logd_debug:file create_file_perms;
+  allow $1 logd_debug:file w_file_perms;
 ')
 unix_socket_send($1, logdw, logd)
 ')