From 384ce66246ea60a56a10e0bebb3c33647bb03a51 Mon Sep 17 00:00:00 2001
From: Mark Salyzyn <salyzyn@google.com>
Date: Tue, 13 Sep 2016 09:33:35 -0700
Subject: [PATCH] logd: add getEventTag command and service

The event log tag service uses /dev/event-log-tags, pstore and
/data/misc/logd/event-log-tags as sticky storage for the invented
log tags.

Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests
Bug: 31456426
Change-Id: Iacc8f36f4a716d4da8dca78a4a54600ad2a288dd
---
 private/logd.te       |  3 ++-
 private/logpersist.te |  4 ++--
 public/init.te        |  7 +++++--
 public/logd.te        | 14 +++++++++++++-
 4 files changed, 22 insertions(+), 6 deletions(-)

diff --git a/private/logd.te b/private/logd.te
index 35117d043..aea6654c8 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -9,7 +9,7 @@ neverallow logd {
   file_type
   -logd_tmpfs
   -runtime_event_log_tags_file
-  userdebug_or_eng(`-coredump_file')
+  userdebug_or_eng(`-coredump_file -misc_logd_file')
 }:file { create write append };
 
 # protect the event-log-tags file
@@ -18,6 +18,7 @@ neverallow {
   -appdomain # covered below
   -bootstat
   -dumpstate
+  -init
   -logd
   userdebug_or_eng(`-logpersist')
   -servicemanager
diff --git a/private/logpersist.te b/private/logpersist.te
index 5f4da0e42..dbace693c 100644
--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -18,5 +18,5 @@ userdebug_or_eng(`
 
 # logpersist is allowed to write to /data/misc/log for userdebug and eng builds
 neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
-neverallow { domain userdebug_or_eng(`-logpersist -dumpstate') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain userdebug_or_eng(`-logpersist') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
diff --git a/public/init.te b/public/init.te
index 4b29891a7..debdc398a 100644
--- a/public/init.te
+++ b/public/init.te
@@ -17,6 +17,9 @@ allow init kmsg_device:chr_file { write relabelto };
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
 allow init property_type:file { create_file_perms relabelto };
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto };
 # /dev/socket
 allow init { device socket_device }:dir relabelto;
 # /dev/random, /dev/urandom
@@ -233,8 +236,8 @@ allow init sysfs_type:file rw_file_perms;
 
 # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
 # Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { open create read getattr setattr search };
-allow init misc_logd_file:file { getattr };
+allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
+allow init misc_logd_file:file { open create getattr setattr write };
 
 # Support "adb shell stop"
 allow init self:capability kill;
diff --git a/public/logd.te b/public/logd.te
index 5defed5ab..62bff9739 100644
--- a/public/logd.te
+++ b/public/logd.te
@@ -14,6 +14,14 @@ allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write
 allow logd kernel:system syslog_read;
 allow logd kmsg_device:chr_file w_file_perms;
 allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
+userdebug_or_eng(`
+  # Access to /data/misc/logd/event-log-tags
+  allow logd misc_logd_file:dir r_dir_perms;
+  allow logd misc_logd_file:file rw_file_perms;
+')
+allow logd runtime_event_log_tags_file:file rw_file_perms;
 
 # Access device logging gating property
 get_prop(logd, device_logging_prop)
@@ -58,4 +66,8 @@ neverallow { domain -init } logd:process transition;
 neverallow * logd:process dyntransition;
 
 # protect the event-log-tags file
-neverallow * runtime_event_log_tags_file:file no_w_file_perms;
+neverallow {
+  domain
+  -init
+  -logd
+} runtime_event_log_tags_file:file no_w_file_perms;
-- 
GitLab