From 77ec892be6b59e2808cc4c3472bf179d33851ebe Mon Sep 17 00:00:00 2001
From: Alex Klyubin <klyubin@google.com>
Date: Thu, 9 May 2013 12:39:32 -0700
Subject: [PATCH] SELinux policy for users of libcutils klog_write.

klog_write/init create /dev/__kmsg__ backed by a kernel character
device, keep the file descriptor, and then immediately unlink the
file.

Change-Id: I729d224347a003eaca29299d216a53c99cc3197c
---
 device.te     |  1 +
 file_contexts |  1 +
 te_macros     | 11 +++++++++++
 ueventd.te    |  1 +
 vold.te       |  2 ++
 5 files changed, 16 insertions(+)

diff --git a/device.te b/device.te
index d55258ad8..8882d9935 100644
--- a/device.te
+++ b/device.te
@@ -49,6 +49,7 @@ type uhid_device, dev_type;
 type tun_device, dev_type, mlstrustedobject;
 type usbaccessory_device, dev_type;
 type usb_device, dev_type;
+type klog_device, dev_type;
 type properties_device, dev_type;
 
 # All devices have a uart for the hci
diff --git a/file_contexts b/file_contexts
index 15f9f5998..19491f961 100644
--- a/file_contexts
+++ b/file_contexts
@@ -114,6 +114,7 @@
 /dev/watchdog		u:object_r:watchdog_device:s0
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
+/dev/__kmsg__		u:object_r:klog_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
 #############################
 # System files
diff --git a/te_macros b/te_macros
index 86a3a5be4..6e6b0a479 100644
--- a/te_macros
+++ b/te_macros
@@ -284,3 +284,14 @@ allow $1 system_file:file x_file_perms;
 define(`access_kmsg', `
 allow $1 kernel:system syslog_read;
 ')
+
+#####################################
+# write_klog(domain)
+# Ability to write to kernel log via
+# klog_write()
+# See system/core/libcutil/klog.c
+define(`write_klog', `
+type_transition $1 device:chr_file klog_device "__kmsg__";
+allow $1 klog_device:chr_file { create open write unlink };
+allow $1 device:dir { add_name remove_name };
+')
diff --git a/ueventd.te b/ueventd.te
index 9023173d8..fa03acf70 100644
--- a/ueventd.te
+++ b/ueventd.te
@@ -2,6 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 tmpfs_domain(ueventd)
+write_klog(ueventd)
 security_access_policy(ueventd)
 allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;
diff --git a/vold.te b/vold.te
index 95865fb3a..26532c1a0 100644
--- a/vold.te
+++ b/vold.te
@@ -32,6 +32,8 @@ allow vold self:capability { sys_boot };
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
 
+write_klog(vold)
+
 #
 # Rules to support encrypted fs support.
 #
-- 
GitLab