| Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 1 | # android user-space log manager |
| 2 | type logd, domain; |
| 3 | type logd_exec, exec_type, file_type; |
| 4 | |
| 5 | init_daemon_domain(logd) |
| Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 6 | |
| 7 | allow logd self:capability { setuid setgid sys_nice }; |
| 8 | |
| 9 | r_dir_file(logd, domain) |
| 10 | |
| 11 | userdebug_or_eng(` |
| 12 | # Debug output |
| 13 | type_transition logd device:file logd_debug; |
| 14 | allow logd device:dir rw_dir_perms; |
| 15 | allow logd logd_debug:file create_file_perms; |
| 16 | ') |
| 17 | |
| 18 | ### |
| 19 | ### Neverallow rules |
| 20 | ### |
| 21 | ### logd should NEVER do any of this |
| 22 | |
| 23 | # Block device access. |
| 24 | neverallow logd dev_type:blk_file { read write }; |
| 25 | |
| 26 | # ptrace any other app |
| 27 | neverallow logd domain:process ptrace; |
| 28 | |
| 29 | # Write to /system. |
| 30 | neverallow logd system_file:dir_file_class_set write; |
| 31 | |
| 32 | # Write to files in /data/data or system files on /data |
| 33 | neverallow logd { app_data_file system_data_file }:dir_file_class_set write; |