refine /data/misc/logd rules
Followup to 121f5bfd80298266d293fa5c0a30fed66f4facfa.
Move misc_logd_file neverallow rule from domain.te to logd.te,
since the goal of the neverallow rule is to protect logd / logpersist
files from other processes.
Switch the misc_logd_file neverallow rule from using "rw_file_perms"
to "no_rw_file_perms". The latter covers more cases of file
modifications.
Add more neverallow rules covering misc_logd_file directories.
Instead of using not_userdebug_nor_eng(), modify the rules to be
consistent with other highly constrained file types such as
keystore_data_file or vold_data_file. See, for example,
https://android-review.googlesource.com/144768
To see the net effect of this change, you can use the following
command line:
sesearch --allow -t misc_logd_file -c file,dir,lnk_file \
out/target/product/bullhead/root/sepolicy
Before this change:
# userdebug builds
allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open };
allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
allow shell misc_logd_file:dir { search read lock getattr ioctl open };
allow shell misc_logd_file:file { read lock ioctl open getattr };
# user builds
allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name };
allow init misc_logd_file:file relabelto;
allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink };
After this change:
# userdebug builds
allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
allow init misc_logd_file:file { relabelto getattr };
allow init misc_logd_file:lnk_file relabelto;
allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name };
allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append };
allow shell misc_logd_file:dir { search read lock getattr ioctl open };
allow shell misc_logd_file:file { read lock ioctl open getattr };
# user builds
allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open };
allow init misc_logd_file:file { relabelto getattr };
allow init misc_logd_file:lnk_file relabelto;
Change-Id: I0b00215049ad83182f458b4b9e258289c5144479
4 files changed