diff options
| -rw-r--r-- | app.te | 5 | ||||
| -rw-r--r-- | debuggerd.te | 3 | ||||
| -rw-r--r-- | domain.te | 3 | ||||
| -rw-r--r-- | dumpstate.te | 4 | ||||
| -rw-r--r-- | file.te | 4 | ||||
| -rw-r--r-- | file_contexts | 5 | ||||
| -rw-r--r-- | logd.te | 34 | ||||
| -rw-r--r-- | system_server.te | 4 | ||||
| -rw-r--r-- | te_macros | 41 |
9 files changed, 94 insertions, 9 deletions
@@ -187,6 +187,11 @@ selinux_check_context(appdomain) # Validate that each process is running in the correct security context. allow appdomain domain:process getattr; +# logd access +read_logd(appdomain) +# application inherit logd write socket (urge is to deprecate this long term) +allow appdomain zygote:unix_dgram_socket write; + ### ### Neverallow rules ### diff --git a/debuggerd.te b/debuggerd.te index 0443aef..738dac2 100644 --- a/debuggerd.te +++ b/debuggerd.te @@ -23,3 +23,6 @@ allow debuggerd system_data_file:file open; # Connect to system_server via /data/system/ndebugsocket. unix_socket_connect(debuggerd, system_ndebug, system_server) + +# logd access +read_logd(debuggerd) @@ -72,6 +72,9 @@ allow domain urandom_device:chr_file rw_file_perms; allow domain random_device:chr_file rw_file_perms; allow domain properties_device:file r_file_perms; +# logd access +write_logd(domain) + # Filesystem accesses. allow domain fs_type:filesystem getattr; allow domain fs_type:dir getattr; diff --git a/dumpstate.te b/dumpstate.te index 5977422..8ecb6cc 100644 --- a/dumpstate.te +++ b/dumpstate.te @@ -86,3 +86,7 @@ allow dumpstate dumpstate_tmpfs:file execute; allow dumpstate self:process execmem; # For art. allow dumpstate dalvikcache_data_file:file execute; + +# logd access +read_logd(dumpstate) +control_logd(dumpstate) @@ -107,6 +107,10 @@ type gps_socket, file_type; type installd_socket, file_type; type keystore_socket, file_type; type lmkd_socket, file_type; +type logd_debug, file_type; +type logd_socket, file_type; +type logdr_socket, file_type; +type logdw_socket, file_type; type mdns_socket, file_type; type netd_socket, file_type; type property_socket, file_type; diff --git a/file_contexts b/file_contexts index f593f6d..06b23a6 100644 --- a/file_contexts +++ b/file_contexts @@ -81,6 +81,10 @@ /dev/socket/installd u:object_r:installd_socket:s0 /dev/socket/keystore u:object_r:keystore_socket:s0 /dev/socket/lmkd u:object_r:lmkd_socket:s0 +/dev/logd_debug u:object_r:logd_debug:s0 +/dev/socket/logd u:object_r:logd_socket:s0 +/dev/socket/logdr u:object_r:logdr_socket:s0 +/dev/socket/logdw u:object_r:logdw_socket:s0 /dev/socket/mdns u:object_r:mdns_socket:s0 /dev/socket/netd u:object_r:netd_socket:s0 /dev/socket/property_service u:object_r:property_socket:s0 @@ -144,6 +148,7 @@ /system/bin/clatd u:object_r:clatd_exec:s0 /system/bin/lmkd u:object_r:lmkd_exec:s0 /system/bin/inputflinger u:object_r:inputflinger_exec:s0 +/system/bin/logd u:object_r:logd_exec:s0 ############################# # Vendor files # @@ -0,0 +1,34 @@ +# android user-space log manager +type logd, domain; +type logd_exec, exec_type, file_type; + +init_daemon_domain(logd) +allow logd self:unix_stream_socket *; + +allow logd self:capability { setuid setgid sys_nice }; + +r_dir_file(logd, domain) + +userdebug_or_eng(` + # Debug output + type_transition logd device:file logd_debug; + allow logd device:dir rw_dir_perms; + allow logd logd_debug:file create_file_perms; +') + +### +### Neverallow rules +### +### logd should NEVER do any of this + +# Block device access. +neverallow logd dev_type:blk_file { read write }; + +# ptrace any other app +neverallow logd domain:process ptrace; + +# Write to /system. +neverallow logd system_file:dir_file_class_set write; + +# Write to files in /data/data or system files on /data +neverallow logd { app_data_file system_data_file }:dir_file_class_set write; diff --git a/system_server.te b/system_server.te index 1971912..ef040d5 100644 --- a/system_server.te +++ b/system_server.te @@ -245,3 +245,7 @@ selinux_manage_policy(system_server) # See discussion of Unlabeled files in domain.te for more information. # This rule is for dalvikcache mmap/mprotect PROT_EXEC. allow system_server unlabeled:file execute; + +# logd access, system_server inherit logd write socket +# (urge is to deprecate this long term) +allow system_server zygote:unix_dgram_socket write; @@ -274,15 +274,6 @@ allow $1 security_prop:property_service set; ') ##################################### -# access_logcat(domain) -# Ability to read from logcat logs -# and execute the logcat command -define(`access_logcat', ` -allow $1 log_device:chr_file read; -allow $1 system_file:file x_file_perms; -') - -##################################### # access_kmsg(domain) # Ability to read from kernel logs # and execute the klogctl syscall @@ -338,3 +329,35 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target # has ceased. # define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1))) + +##################################### +# write_logd(domain) +# Ability to write to android log +# daemon via sockets +define(`write_logd', ` +userdebug_or_eng(` + # Debug output + type_transition $1 device:file logd_debug; + allow $1 device:dir rw_dir_perms; + allow $1 logd_debug:file create_file_perms; +') +unix_socket_send($1, logdw, logd) +') + +##################################### +# read_logd(domain) +# Ability to read from android +# log daemon via sockets +define(`read_logd', ` +unix_socket_connect($1, logdr, logd) +') + +##################################### +# control_logd(domain) +# Ability to control +# android log daemon via sockets +define(`control_logd', ` +# Group AID_LOG checked by filesystem & logd +# to permit control commands +unix_socket_connect($1, logd, logd) +') |