Merge "init: only allowed to transition to logpersist or logd"

public/logd.te

@@ -43,3 +43,7 @@ neverallow logd system_file:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
 neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
+
+# Only init is allowed to enter the logd domain via exec()
+neverallow { domain -init } logd:process transition;
+neverallow * logd:process dyntransition;

public/logpersist.te

@@ -14,3 +14,7 @@ neverallow logpersist domain:process ptrace;
 
 # Write to files in /data/data or system files on /data except misc_logd_file
 neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
+
+# Only init is allowed to enter the logpersist domain via exec()
+neverallow { domain -init } logpersist:process transition;
+neverallow * logpersist:process dyntransition;