| Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 1 | # android user-space log manager |
| 2 | type logd, domain; |
| 3 | type logd_exec, exec_type, file_type; |
| 4 | |
| 5 | init_daemon_domain(logd) |
| Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 6 | |
| Mark Salyzyn | 238a654 | 2014-04-01 11:02:57 -0700 | [diff] [blame] | 7 | allow logd self:capability { setuid setgid sys_nice audit_control }; |
| 8 | allow logd self:capability2 syslog; |
| 9 | allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write }; |
| 10 | allow logd kernel:system syslog_read; |
| Mark Salyzyn | 6252b63 | 2014-04-07 14:04:30 -0700 | [diff] [blame] | 11 | allow logd kmsg_device:chr_file w_file_perms; |
| Mark Salyzyn | 8ed750e | 2013-11-12 15:34:52 -0800 | [diff] [blame] | 12 | |
| 13 | r_dir_file(logd, domain) |
| 14 | |
| 15 | userdebug_or_eng(` |
| 16 | # Debug output |
| 17 | type_transition logd device:file logd_debug; |
| 18 | allow logd device:dir rw_dir_perms; |
| 19 | allow logd logd_debug:file create_file_perms; |
| 20 | ') |
| 21 | |
| 22 | ### |
| 23 | ### Neverallow rules |
| 24 | ### |
| 25 | ### logd should NEVER do any of this |
| 26 | |
| 27 | # Block device access. |
| 28 | neverallow logd dev_type:blk_file { read write }; |
| 29 | |
| 30 | # ptrace any other app |
| 31 | neverallow logd domain:process ptrace; |
| 32 | |
| 33 | # Write to /system. |
| 34 | neverallow logd system_file:dir_file_class_set write; |
| 35 | |
| 36 | # Write to files in /data/data or system files on /data |
| 37 | neverallow logd { app_data_file system_data_file }:dir_file_class_set write; |