Skip to content
Snippets Groups Projects
Commit d33a9a19 authored by Mark Salyzyn's avatar Mark Salyzyn
Browse files

logd: restrict access to /dev/event-log-tags

Create an event_log_tags_file label and use it for
/dev/event-log-tags.  Only trusted system log readers are allowed
direct read access to this file, no write access.  Untrusted domain
requests lack direct access, and are thus checked for credentials via
the "plan b" long path socket to the event log tag service.

Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests
Bug: 31456426
Bug: 30566487
Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
parent 04641948
Branches
Tags
No related merge requests found
......@@ -75,6 +75,7 @@
/dev/cpuctl(/.*)? u:object_r:cpuctl_device:s0
/dev/device-mapper u:object_r:dm_device:s0
/dev/eac u:object_r:audio_device:s0
/dev/event-log-tags u:object_r:runtime_event_log_tags_file:s0
/dev/fscklogs(/.*)? u:object_r:fscklogs:s0
/dev/full u:object_r:full_device:s0
/dev/fuse u:object_r:fuse_device:s0
......
......@@ -5,4 +5,34 @@ init_daemon_domain(logd)
# logd is not allowed to write anywhere other than /data/misc/logd, and then
# only on userdebug or eng builds
# TODO: deal with tmpfs_domain pub/priv split properly
neverallow logd { file_type -logd_tmpfs userdebug_or_eng(`-coredump_file') }:file { create write append };
neverallow logd {
file_type
-logd_tmpfs
-runtime_event_log_tags_file
userdebug_or_eng(`-coredump_file')
}:file { create write append };
# protect the event-log-tags file
neverallow {
domain
-appdomain # covered below
-bootstat
-dumpstate
-logd
userdebug_or_eng(`-logpersist')
-servicemanager
-system_server
-surfaceflinger
-zygote
} runtime_event_log_tags_file:file no_rw_file_perms;
neverallow {
appdomain
-bluetooth
-platform_app
-priv_app
-radio
-shell
userdebug_or_eng(`-su')
-system_app
} runtime_event_log_tags_file:file no_rw_file_perms;
......@@ -12,6 +12,7 @@ userdebug_or_eng(`
control_logd(logpersist)
unix_socket_connect(logpersist, logdr, logd)
read_runtime_log_tags(logpersist)
')
......
......@@ -59,3 +59,5 @@ allow platform_app preloads_data_file:dir r_dir_perms;
# Access to ephemeral APKs
allow platform_app ephemeral_apk_data_file:dir r_dir_perms;
allow platform_app ephemeral_apk_data_file:file r_file_perms;
read_runtime_log_tags(platform_app)
......@@ -110,6 +110,8 @@ allow priv_app functionfs:file rw_file_perms;
# TODO: narrow this to just MediaProvider
allow priv_app mnt_media_rw_file:dir search;
read_runtime_log_tags(priv_app)
###
### neverallow rules
###
......
app_domain(radio)
read_runtime_log_tags(radio)
# type_transition must be private policy the domain_trans rules could stay
# public, but conceptually should go with this
init_daemon_domain(servicemanager)
read_runtime_log_tags(servicemanager)
......@@ -79,3 +79,4 @@ allow system_app keystore:keystore_key {
r_dir_file(system_app, sysfs_type)
control_logd(system_app)
read_runtime_log_tags(system_app)
......@@ -4,6 +4,8 @@ typeattribute zygote mlstrustedsubject;
init_daemon_domain(zygote)
read_runtime_log_tags(zygote)
# Override DAC on files and switch uid/gid.
allow zygote self:capability { dac_override setgid setuid fowner chown };
......
......@@ -63,6 +63,8 @@ hwbinder_use(bluetooth)
binder_call(bluetooth, hal_bluetooth)
binder_call(bluetooth, hal_telephony)
read_runtime_log_tags(bluetooth)
###
### Neverallow rules
###
......
......@@ -2,6 +2,8 @@
type bootstat, domain;
type bootstat_exec, exec_type, file_type;
read_runtime_log_tags(bootstat)
# Allow persistent storage in /data/misc/bootstat.
allow bootstat bootstat_data_file:dir rw_dir_perms;
allow bootstat bootstat_data_file:file create_file_perms;
......
......@@ -130,6 +130,7 @@ allow dumpstate gpu_device:chr_file rw_file_perms;
# logd access
read_logd(dumpstate)
control_logd(dumpstate)
read_runtime_log_tags(dumpstate)
# Read /proc/net
allow dumpstate proc_net:file r_file_perms;
......
......@@ -76,6 +76,8 @@ type app_fusefs, fs_type, contextmount_type;
type unlabeled, file_type;
# Default type for anything under /system.
type system_file, file_type;
# Speedup access for trusted applications to the runtime event tags
type runtime_event_log_tags_file, file_type;
# Type for /system/*/libart*
type libart_file, file_type;
# Type for /system/bin/logcat.
......
......@@ -138,6 +138,7 @@ allow init {
allow init {
file_type
-app_data_file
-runtime_event_log_tags_file
-exec_type
-keystore_data_file
-misc_logd_file
......
......@@ -23,6 +23,15 @@ r_dir_file(logd, domain)
allow logd kernel:system syslog_mod;
control_logd(logd)
read_runtime_log_tags(logd)
allow runtime_event_log_tags_file tmpfs:filesystem associate;
# Typically harmlessly blindly trying to access via liblog
# event tag mapping while in the untrusted_app domain.
# Access for that domain is controlled and gated via the
# event log tag service (albeit at a performance penalty,
# expected to be locally cached).
dontaudit domain runtime_event_log_tags_file:file { open read };
###
### Neverallow rules
......@@ -47,3 +56,6 @@ neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
# Only init is allowed to enter the logd domain via exec()
neverallow { domain -init } logd:process transition;
neverallow * logd:process dyntransition;
# protect the event-log-tags file
neverallow * runtime_event_log_tags_file:file no_w_file_perms;
......@@ -4,6 +4,8 @@ type surfaceflinger_exec, exec_type, file_type;
typeattribute surfaceflinger mlstrustedsubject;
read_runtime_log_tags(surfaceflinger)
# Perform HwBinder IPC.
hwbinder_use(surfaceflinger)
binder_call(surfaceflinger, hal_graphics_allocator)
......
......@@ -464,6 +464,7 @@ allow system_server zygote:unix_dgram_socket write;
# Read from log daemon.
read_logd(system_server)
read_runtime_log_tags(system_server)
# Be consistent with DAC permissions. Allow system_server to write to
# /sys/module/lowmemorykiller/parameters/adj
......
......@@ -344,6 +344,13 @@ allow $1 logcat_exec:file rx_file_perms;
unix_socket_connect($1, logdr, logd)
')
#####################################
# read_runtime_log_tags(domain)
# ability to directly map the runtime event log tags
define(`read_runtime_log_tags', `
allow $1 runtime_event_log_tags_file:file r_file_perms;
')
#####################################
# control_logd(domain)
# Ability to control
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment