init: only allowed to transition to logpersist or logd

Generate a compile time error if someone unexpectedly tries to transition into logpersist or logd domain. Test: compile Bug: 30566487 Change-Id: Ib55f301f104ad63de5ac513cdc9dc9937e3ba48d

init: only allowed to transition to logpersist or logd
df125b90 · Mark Salyzyn · da62cb4d · df125b90 · df125b90
Commit df125b90 authored 8 years ago by Mark Salyzyn
--- a/public/logd.te
+++ b/public/logd.te
@@ -43,3 +43,7 @@ neverallow logd system_file:dir_file_class_set write;
 # Write to files in /data/data or system files on /data
 neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
+# Only init is allowed to enter the logd domain via exec()
+neverallow { domain -init } logd:process transition;
+neverallow * logd:process dyntransition;
--- a/public/logpersist.te
+++ b/public/logpersist.te
@@ -14,3 +14,7 @@ neverallow logpersist domain:process ptrace;
 # Write to files in /data/data or system files on /data except misc_logd_file
 neverallow logpersist { app_data_file system_data_file }:dir_file_class_set write;
+# Only init is allowed to enter the logpersist domain via exec()
+neverallow { domain -init } logpersist:process transition;
+neverallow * logpersist:process dyntransition;