Skip to content
Snippets Groups Projects
Commit 7d40044a authored by Mark Salyzyn's avatar Mark Salyzyn Committed by Android Git Automerger
Browse files

am 8ed750e9: sepolicy: Add write_logd, read_logd & control_logd

* commit '8ed750e9':
  sepolicy: Add write_logd, read_logd & control_logd
parents 3fc0df76 8ed750e9
Branches
Tags
No related merge requests found
......@@ -187,6 +187,11 @@ selinux_check_context(appdomain)
# Validate that each process is running in the correct security context.
allow appdomain domain:process getattr;
# logd access
read_logd(appdomain)
# application inherit logd write socket (urge is to deprecate this long term)
allow appdomain zygote:unix_dgram_socket write;
###
### Neverallow rules
###
......
......@@ -23,3 +23,6 @@ allow debuggerd system_data_file:file open;
# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)
# logd access
read_logd(debuggerd)
......@@ -72,6 +72,9 @@ allow domain urandom_device:chr_file rw_file_perms;
allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:file r_file_perms;
# logd access
write_logd(domain)
# Filesystem accesses.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
......
......@@ -86,3 +86,7 @@ allow dumpstate dumpstate_tmpfs:file execute;
allow dumpstate self:process execmem;
# For art.
allow dumpstate dalvikcache_data_file:file execute;
# logd access
read_logd(dumpstate)
control_logd(dumpstate)
......@@ -107,6 +107,10 @@ type gps_socket, file_type;
type installd_socket, file_type;
type keystore_socket, file_type;
type lmkd_socket, file_type;
type logd_debug, file_type;
type logd_socket, file_type;
type logdr_socket, file_type;
type logdw_socket, file_type;
type mdns_socket, file_type;
type netd_socket, file_type;
type property_socket, file_type;
......
......@@ -81,6 +81,10 @@
/dev/socket/installd u:object_r:installd_socket:s0
/dev/socket/keystore u:object_r:keystore_socket:s0
/dev/socket/lmkd u:object_r:lmkd_socket:s0
/dev/logd_debug u:object_r:logd_debug:s0
/dev/socket/logd u:object_r:logd_socket:s0
/dev/socket/logdr u:object_r:logdr_socket:s0
/dev/socket/logdw u:object_r:logdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/netd u:object_r:netd_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
......@@ -144,6 +148,7 @@
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
/system/bin/logd u:object_r:logd_exec:s0
#############################
# Vendor files
#
......
logd.te 0 → 100644
# android user-space log manager
type logd, domain;
type logd_exec, exec_type, file_type;
init_daemon_domain(logd)
allow logd self:unix_stream_socket *;
allow logd self:capability { setuid setgid sys_nice };
r_dir_file(logd, domain)
userdebug_or_eng(`
# Debug output
type_transition logd device:file logd_debug;
allow logd device:dir rw_dir_perms;
allow logd logd_debug:file create_file_perms;
')
###
### Neverallow rules
###
### logd should NEVER do any of this
# Block device access.
neverallow logd dev_type:blk_file { read write };
# ptrace any other app
neverallow logd domain:process ptrace;
# Write to /system.
neverallow logd system_file:dir_file_class_set write;
# Write to files in /data/data or system files on /data
neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
......@@ -245,3 +245,7 @@ selinux_manage_policy(system_server)
# See discussion of Unlabeled files in domain.te for more information.
# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
allow system_server unlabeled:file execute;
# logd access, system_server inherit logd write socket
# (urge is to deprecate this long term)
allow system_server zygote:unix_dgram_socket write;
......@@ -273,15 +273,6 @@ allow $1 security_file:lnk_file { create rename unlink };
allow $1 security_prop:property_service set;
')
#####################################
# access_logcat(domain)
# Ability to read from logcat logs
# and execute the logcat command
define(`access_logcat', `
allow $1 log_device:chr_file read;
allow $1 system_file:file x_file_perms;
')
#####################################
# access_kmsg(domain)
# Ability to read from kernel logs
......@@ -338,3 +329,35 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target
# has ceased.
#
define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
#####################################
# write_logd(domain)
# Ability to write to android log
# daemon via sockets
define(`write_logd', `
userdebug_or_eng(`
# Debug output
type_transition $1 device:file logd_debug;
allow $1 device:dir rw_dir_perms;
allow $1 logd_debug:file create_file_perms;
')
unix_socket_send($1, logdw, logd)
')
#####################################
# read_logd(domain)
# Ability to read from android
# log daemon via sockets
define(`read_logd', `
unix_socket_connect($1, logdr, logd)
')
#####################################
# control_logd(domain)
# Ability to control
# android log daemon via sockets
define(`control_logd', `
# Group AID_LOG checked by filesystem & logd
# to permit control commands
unix_socket_connect($1, logd, logd)
')
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment