sepolicy: Add write_logd, read_logd & control_logd
- Add write_logd, read_logd and control_logd macros added along
with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
deal with fd inheritance. ToDo: investigate means to allow
references to close, and reopen in context of application
or call setsockcreatecon() to label them in child context.
Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
diff --git a/app.te b/app.te
index c4b3331..a0672c7 100644
--- a/app.te
+++ b/app.te
@@ -187,6 +187,11 @@
# Validate that each process is running in the correct security context.
allow appdomain domain:process getattr;
+# logd access
+read_logd(appdomain)
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
###
### Neverallow rules
###
diff --git a/debuggerd.te b/debuggerd.te
index 0443aef..738dac2 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -23,3 +23,6 @@
# Connect to system_server via /data/system/ndebugsocket.
unix_socket_connect(debuggerd, system_ndebug, system_server)
+
+# logd access
+read_logd(debuggerd)
diff --git a/domain.te b/domain.te
index 6f0ee13..8c66e1b 100644
--- a/domain.te
+++ b/domain.te
@@ -72,6 +72,9 @@
allow domain random_device:chr_file rw_file_perms;
allow domain properties_device:file r_file_perms;
+# logd access
+write_logd(domain)
+
# Filesystem accesses.
allow domain fs_type:filesystem getattr;
allow domain fs_type:dir getattr;
diff --git a/dumpstate.te b/dumpstate.te
index 5977422..8ecb6cc 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -86,3 +86,7 @@
allow dumpstate self:process execmem;
# For art.
allow dumpstate dalvikcache_data_file:file execute;
+
+# logd access
+read_logd(dumpstate)
+control_logd(dumpstate)
diff --git a/file.te b/file.te
index d6a4d56..ef6c55c 100644
--- a/file.te
+++ b/file.te
@@ -107,6 +107,10 @@
type installd_socket, file_type;
type keystore_socket, file_type;
type lmkd_socket, file_type;
+type logd_debug, file_type;
+type logd_socket, file_type;
+type logdr_socket, file_type;
+type logdw_socket, file_type;
type mdns_socket, file_type;
type netd_socket, file_type;
type property_socket, file_type;
diff --git a/file_contexts b/file_contexts
index f593f6d..06b23a6 100644
--- a/file_contexts
+++ b/file_contexts
@@ -81,6 +81,10 @@
/dev/socket/installd u:object_r:installd_socket:s0
/dev/socket/keystore u:object_r:keystore_socket:s0
/dev/socket/lmkd u:object_r:lmkd_socket:s0
+/dev/logd_debug u:object_r:logd_debug:s0
+/dev/socket/logd u:object_r:logd_socket:s0
+/dev/socket/logdr u:object_r:logdr_socket:s0
+/dev/socket/logdw u:object_r:logdw_socket:s0
/dev/socket/mdns u:object_r:mdns_socket:s0
/dev/socket/netd u:object_r:netd_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
@@ -144,6 +148,7 @@
/system/bin/clatd u:object_r:clatd_exec:s0
/system/bin/lmkd u:object_r:lmkd_exec:s0
/system/bin/inputflinger u:object_r:inputflinger_exec:s0
+/system/bin/logd u:object_r:logd_exec:s0
#############################
# Vendor files
#
diff --git a/logd.te b/logd.te
new file mode 100644
index 0000000..a1e3a53
--- /dev/null
+++ b/logd.te
@@ -0,0 +1,34 @@
+# android user-space log manager
+type logd, domain;
+type logd_exec, exec_type, file_type;
+
+init_daemon_domain(logd)
+allow logd self:unix_stream_socket *;
+
+allow logd self:capability { setuid setgid sys_nice };
+
+r_dir_file(logd, domain)
+
+userdebug_or_eng(`
+ # Debug output
+ type_transition logd device:file logd_debug;
+ allow logd device:dir rw_dir_perms;
+ allow logd logd_debug:file create_file_perms;
+')
+
+###
+### Neverallow rules
+###
+### logd should NEVER do any of this
+
+# Block device access.
+neverallow logd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logd domain:process ptrace;
+
+# Write to /system.
+neverallow logd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
diff --git a/system_server.te b/system_server.te
index 1971912..ef040d5 100644
--- a/system_server.te
+++ b/system_server.te
@@ -245,3 +245,7 @@
# See discussion of Unlabeled files in domain.te for more information.
# This rule is for dalvikcache mmap/mprotect PROT_EXEC.
allow system_server unlabeled:file execute;
+
+# logd access, system_server inherit logd write socket
+# (urge is to deprecate this long term)
+allow system_server zygote:unix_dgram_socket write;
diff --git a/te_macros b/te_macros
index 03c78f3..404222a 100644
--- a/te_macros
+++ b/te_macros
@@ -274,15 +274,6 @@
')
#####################################
-# access_logcat(domain)
-# Ability to read from logcat logs
-# and execute the logcat command
-define(`access_logcat', `
-allow $1 log_device:chr_file read;
-allow $1 system_file:file x_file_perms;
-')
-
-#####################################
# access_kmsg(domain)
# Ability to read from kernel logs
# and execute the klogctl syscall
@@ -338,3 +329,35 @@
# has ceased.
#
define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+define(`write_logd', `
+userdebug_or_eng(`
+ # Debug output
+ type_transition $1 device:file logd_debug;
+ allow $1 device:dir rw_dir_perms;
+ allow $1 logd_debug:file create_file_perms;
+')
+unix_socket_send($1, logdw, logd)
+')
+
+#####################################
+# read_logd(domain)
+# Ability to read from android
+# log daemon via sockets
+define(`read_logd', `
+unix_socket_connect($1, logdr, logd)
+')
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+define(`control_logd', `
+# Group AID_LOG checked by filesystem & logd
+# to permit control commands
+unix_socket_connect($1, logd, logd)
+')