Merge "logd: add getEventTag command and service"

542a4626 · Mark Salyzyn · Gerrit Code Review · 01ee59a7 · 384ce662 · 542a4626
Commit 542a4626 authored 8 years ago by Mark Salyzyn Committed by Gerrit Code Review 8 years ago
--- a/private/logd.te
+++ b/private/logd.te
@@ -9,7 +9,7 @@ neverallow logd {
  file_type
  -logd_tmpfs
  -runtime_event_log_tags_file
-  userdebug_or_eng(`-coredump_file')
+  userdebug_or_eng(`-coredump_file -misc_logd_file')
 }:file { create write append };

 # protect the event-log-tags file
@@ -18,6 +18,7 @@ neverallow {
  -appdomain # covered below
  -bootstat
  -dumpstate
+  -init
  -logd
  userdebug_or_eng(`-logpersist')
  -servicemanager

--- a/private/logpersist.te
+++ b/private/logpersist.te
@@ -18,5 +18,5 @@ userdebug_or_eng(`

 # logpersist is allowed to write to /data/misc/log for userdebug and eng builds
 neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
-neverallow { domain userdebug_or_eng(`-logpersist -dumpstate') } misc_logd_file:file no_rw_file_perms;
-neverallow { domain userdebug_or_eng(`-logpersist') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd -dumpstate') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
--- a/public/init.te
+++ b/public/init.te
@@ -17,6 +17,9 @@ allow init kmsg_device:chr_file { write relabelto };
 allow init properties_device:dir relabelto;
 allow init properties_serial:file { write relabelto };
 allow init property_type:file { create_file_perms relabelto };
+# /dev/event-log-tags
+allow init device:file relabelfrom;
+allow init runtime_event_log_tags_file:file { open write setattr relabelto };
 # /dev/socket
 allow init { device socket_device }:dir relabelto;
 # /dev/random, /dev/urandom
@@ -233,8 +236,8 @@ allow init sysfs_type:file rw_file_perms;

 # Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
 # Init will also walk through the directory as part of a recursive restorecon.
-allow init misc_logd_file:dir { open create read getattr setattr search };
-allow init misc_logd_file:file { getattr };
+allow init misc_logd_file:dir { add_name open create read getattr setattr search write };
+allow init misc_logd_file:file { open create getattr setattr write };

 # Support "adb shell stop"
 allow init self:capability kill;

--- a/public/logd.te
+++ b/public/logd.te
@@ -14,6 +14,14 @@ allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write
 allow logd kernel:system syslog_read;
 allow logd kmsg_device:chr_file w_file_perms;
 allow logd system_data_file:{ file lnk_file } r_file_perms;
+allow logd pstorefs:dir search;
+allow logd pstorefs:file r_file_perms;
+userdebug_or_eng(`
+  # Access to /data/misc/logd/event-log-tags
+  allow logd misc_logd_file:dir r_dir_perms;
+  allow logd misc_logd_file:file rw_file_perms;
+')
+allow logd runtime_event_log_tags_file:file rw_file_perms;

 # Access device logging gating property
 get_prop(logd, device_logging_prop)
@@ -58,4 +66,8 @@ neverallow { domain -init } logd:process transition;
 neverallow * logd:process dyntransition;

 # protect the event-log-tags file
-neverallow * runtime_event_log_tags_file:file no_w_file_perms;
+neverallow {
+  domain
+  -init
+  -logd
+} runtime_event_log_tags_file:file no_w_file_perms;