Google Git
Sign in
android / platform / external / sepolicy / 6937aa93ac0a36f19cb13b81a282dedcad324be5
commit6937aa93ac0a36f19cb13b81a282dedcad324be5[log] [tgz]
authorNick Kralevich <nnk@google.com>Sat Mar 26 07:43:38 2016 -0700
committerNick Kralevich <nnk@google.com>Mon Mar 28 09:21:00 2016 -0700
tree94df2c83e574833dc12d14f27786f70e467f9b35
parent4d19f98c728373860c5628d46fe5f4d664c601d2 [diff]
refine /data/misc/logd rules

Followup to 121f5bfd80298266d293fa5c0a30fed66f4facfa.

Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.

Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.

Add more neverallow rules covering misc_logd_file directories.

Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768

To see the net effect of this change, you can use the following
command line:

  sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
  out/target/product/bullhead/root/sepolicy

Before this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
  allow init misc_logd_file:file relabelto;
  allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };

After this change:

  # userdebug builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;
  allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
  allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
  allow shell misc_logd_file:dir { search read lock getattr ioctl open };
  allow shell misc_logd_file:file { read lock ioctl open getattr };

  # user builds
  allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
  allow init misc_logd_file:file { relabelto getattr };
  allow init misc_logd_file:lnk_file relabelto;

Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
4 files changed
tree: 94df2c83e574833dc12d14f27786f70e467f9b35
  1. tools/
  2. access_vectors
  3. adbd.te
  4. Android.mk
  5. app.te
  6. atrace.te
  7. attributes
  8. binderservicedomain.te
  9. blkid.te
  10. blkid_untrusted.te
  11. bluetooth.te
  12. bluetoothdomain.te
  13. bootanim.te
  14. bootstat.te
  15. clatd.te
  16. CleanSpec.mk
  17. debuggerd.te
  18. device.te
  19. dex2oat.te
  20. dhcp.te
  21. dnsmasq.te
  22. domain.te
  23. domain_deprecated.te
  24. drmserver.te
  25. dumpstate.te
  26. file.te
  27. file_contexts
  28. file_contexts_asan
  29. fingerprintd.te
  30. fs_use
  31. fsck.te
  32. fsck_untrusted.te
  33. gatekeeperd.te
  34. genfs_contexts
  35. global_macros
  36. gpsd.te
  37. hci_attach.te
  38. healthd.te
  39. hostapd.te
  40. idmap.te
  41. init.te
  42. initial_sid_contexts
  43. initial_sids
  44. inputflinger.te
  45. install_recovery.te
  46. installd.te
  47. ioctl_macros
  48. isolated_app.te
  49. kernel.te
  50. keys.conf
  51. keystore.te
  52. lmkd.te
  53. logd.te
  54. mac_permissions.xml
  55. mdnsd.te
  56. mediaserver.te
  57. mls
  58. mls_macros
  59. MODULE_LICENSE_PUBLIC_DOMAIN
  60. mtp.te
  61. net.te
  62. netd.te
  63. neverallow_macros
  64. nfc.te
  65. NOTICE
  66. perfprofd.te
  67. platform_app.te
  68. policy_capabilities
  69. port_contexts
  70. postinstall.te
  71. ppp.te
  72. priv_app.te
  73. property.te
  74. property_contexts
  75. racoon.te
  76. radio.te
  77. README
  78. recovery.te
  79. recovery_persist.te
  80. recovery_refresh.te
  81. rild.te
  82. roles
  83. runas.te
  84. sdcardd.te
  85. seapp_contexts
  86. security_classes
  87. service.te
  88. service_contexts
  89. servicemanager.te
  90. sgdisk.te
  91. shared_relro.te
  92. shell.te
  93. slideshow.te
  94. su.te
  95. surfaceflinger.te
  96. system_app.te
  97. system_server.te
  98. te_macros
  99. tee.te
  100. toolbox.te
  101. tzdatacheck.te
  102. ueventd.te
  103. uncrypt.te
  104. untrusted_app.te
  105. update_engine.te
  106. update_verifier.te
  107. users
  108. vdc.te
  109. vold.te
  110. watchdogd.te
  111. wpa.te
  112. zygote.te