From 6937aa93ac0a36f19cb13b81a282dedcad324be5 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 26 Mar 2016 07:43:38 -0700
Subject: [PATCH] refine /data/misc/logd rules

Followup to 121f5bfd80298266d293fa5c0a30fed66f4facfa.

Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.

Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.

Add more neverallow rules covering misc_logd_file directories.

Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768

To see the net effect of this change, you can use the following
command line:

  sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
  out/target/product/bullhead/root/sepolicy

Before this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file relabelto;
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };

After this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;

Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
---
 domain.te |  3 ---
 init.te   | 13 +++++++++----
 logd.te   |  9 +++++++--
 te_macros |  1 -
 4 files changed, 16 insertions(+), 10 deletions(-)

diff --git a/domain.te b/domain.te
index da2206e31..549a0b963 100644
--- a/domain.te
+++ b/domain.te
@@ -490,9 +490,6 @@ neverallow * ~servicemanager:service_manager list;
 # only service_manager_types can be added to service_manager
 neverallow * ~service_manager_type:service_manager { add find };
 
-# logpersist is only allowed on userdebug/eng builds
-neverallow { domain userdebug_or_eng(`-logd -shell -init') } misc_logd_file:file rw_file_perms;
-
 # Prevent assigning non property types to properties
 neverallow * ~property_type:property_service set;
 
diff --git a/init.te b/init.te
index 315e25a23..e1a8217e9 100644
--- a/init.te
+++ b/init.te
@@ -99,10 +99,10 @@ allow init rootfs:{ dir file } relabelfrom;
 # we just allow all file types except /system files here.
 allow init self:capability { chown fowner fsetid };
 allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file not_userdebug_nor_eng(`-misc_logd_file') }:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:dir { write add_name remove_name rmdir relabelfrom };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
@@ -167,6 +167,11 @@ userdebug_or_eng(`
   domain_auto_trans(init, logcat_exec, logd)
 ')
 
+# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
+# Init will also walk through the directory as part of a recursive restorecon.
+allow init misc_logd_file:dir { open create read getattr setattr search };
+allow init misc_logd_file:file { getattr };
+
 # Support "adb shell stop"
 allow init self:capability kill;
 allow init domain:process { sigkill signal };
diff --git a/logd.te b/logd.te
index 95a30efa9..7254e53c7 100644
--- a/logd.te
+++ b/logd.te
@@ -57,6 +57,11 @@ neverallow logd system_file:dir_file_class_set write;
 # Write to files in /data/data or system files on /data
 neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
 
-# logd is not allowed to write anywhere other than /misc/data/logd, and then
+# logd is not allowed to write anywhere other than /data/misc/logd, and then
 # only on userdebug or eng builds
-neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file write;
+neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file { create write append };
+
+# logpersist is only allowed on userdebug/eng builds
+neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain userdebug_or_eng(`-logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
+neverallow { domain -init } misc_logd_file:dir create;
diff --git a/te_macros b/te_macros
index f4d948202..84af301eb 100644
--- a/te_macros
+++ b/te_macros
@@ -278,7 +278,6 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, ))
 # SELinux rules which apply only to userdebug or eng builds
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-define(`not_userdebug_nor_eng', ifelse(target_build_variant, `eng', , ifelse(target_build_variant, `userdebug', , $1)))
 define(`eng', ifelse(target_build_variant, `eng', $1))
 
 #####################################
-- 
GitLab