From 2bcea0a3139faf0a8ae1cfe9cce88cde74e1a0bc Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 4 Jun 2014 15:53:30 -0700
Subject: [PATCH] Don't grant domain device:dir rw_dir_perms

write_logd() is allowed for domain, which means that all domains
are permitted read/write access to /dev. That's overly permissive
and causes substantial differences between user and userdebug/eng
devices.

Remove domain device:dir rw_dir_perms access. It's not needed.

Allow all domains to write/append to logd_debug. logd is responsible
for creating this file if need be. Remove logd_debug file create
permissions. This also eliminates the need for the type_transition
rules.

Bug: 15419803
Change-Id: I7dc3c4df8d413c649c24ae7bc15546d64226ce3b
---
 te_macros | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/te_macros b/te_macros
index 7a6d74ace..7cd7d82ad 100644
--- a/te_macros
+++ b/te_macros
@@ -337,10 +337,7 @@ define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false
 # daemon via sockets
 define(`write_logd', `
 userdebug_or_eng(`
-  # Debug output
-  type_transition $1 device:file logd_debug;
-  allow $1 device:dir rw_dir_perms;
-  allow $1 logd_debug:file create_file_perms;
+  allow $1 logd_debug:file w_file_perms;
 ')
 unix_socket_send($1, logdw, logd)
 ')
-- 
GitLab