commit 4eb5660c52a5966374c9d810550e3ae0069bd50f
author Inseob Kim <inseob@google.com> Fri Jul 09 15:51:12 2021 +0900
committer Inseob Kim <inseob@google.com> Tue Jul 13 14:06:58 2021 +0900
tree 11a87447d96b7949e5da2a64cd76aa1271f897b1
parent 32ea89af9e9846a9865d85389bed271423b173a7

Leave minimal sepolicy for microdroid

Steps taken:

1) Grab remaining types in contexts files.
2) Leave such types and remove all other types.
3) Set attributes, according to system/etc/selinux/plat_sepolicy.cil.
4) Repeat booting and adding missing types, rules, and attributes.
5) Organize types and allow rules.

Bug: 191131624
Test: atest MicrodroidHostTestCases
Change-Id: I1302701f67e61795474c667e8e6094d67912eea0

microdroid/sepolicy/system/private/logd.te

diff --git a/microdroid/sepolicy/system/private/logd.te b/microdroid/sepolicy/system/private/logd.te
index 7112c4f..0cc6e96 100644
--- a/microdroid/sepolicy/system/private/logd.te
+++ b/microdroid/sepolicy/system/private/logd.te
@@ -2,40 +2,42 @@
 
 init_daemon_domain(logd)
 
-# Access device logging gating property
-get_prop(logd, device_logging_prop)
-
-# logd is not allowed to write anywhere other than /data/misc/logd, and then
-# only on userdebug or eng builds
-neverallow logd {
-  file_type
-  -runtime_event_log_tags_file
-  userdebug_or_eng(`-coredump_file -misc_logd_file')
-  with_native_coverage(`-method_trace_data_file')
-}:file { create write append };
-
-# protect the event-log-tags file
-neverallow {
-  domain
-  -appdomain # covered below
-  -bootstat
-  -dumpstate
-  -init
-  -logd
-  userdebug_or_eng(`-logpersist')
-  -servicemanager
-  -system_server
-  -surfaceflinger
-  -zygote
-} runtime_event_log_tags_file:file no_rw_file_perms;
-
-neverallow {
-  appdomain
-  -bluetooth
-  -platform_app
-  -priv_app
-  -radio
-  -shell
-  userdebug_or_eng(`-su')
-  -system_app
-} runtime_event_log_tags_file:file no_rw_file_perms;
+allow logd adbd:dir search;
+allow logd adbd:file { getattr open read };
+allow logd device:dir search;
+allow logd hwservicemanager:dir search;
+allow logd hwservicemanager:file { open read };
+allow logd init:dir search;
+allow logd init:fd use;
+allow logd init:file { getattr open read };
+allow logd kernel:dir search;
+allow logd kernel:file { getattr open read };
+allow logd kernel:system { syslog_mod syslog_read };
+allow logd keystore:dir search;
+allow logd keystore:file { getattr open read };
+allow logd linkerconfig_file:dir search;
+allow logd microdroid_manager:dir search;
+allow logd microdroid_manager:file { getattr open read };
+allow logd null_device:chr_file { open read };
+#allow logd proc_kmsg:file read;
+r_dir_file(logd, cgroup)
+r_dir_file(logd, cgroup_v2)
+r_dir_file(logd, proc_kmsg)
+r_dir_file(logd, proc_meminfo)
+allow logd self:fifo_file { read write };
+allow logd self:file { getattr open read };
+allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
+allow logd self:global_capability2_class_set syslog;
+#allow logd self:netlink_audit_socket getopt;
+allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
+allow logd kmsg_device:chr_file { getattr w_file_perms };
+r_dir_file(logd, domain)
+allow logd self:unix_stream_socket { accept getopt setopt shutdown };
+allow logd servicemanager:dir search;
+allow logd servicemanager:file { open read };
+allow logd tombstoned:dir search;
+allow logd tombstoned:file { getattr open read };
+allow logd ueventd:dir search;
+allow logd ueventd:file { getattr open read };
+control_logd(logd)
+read_runtime_log_tags(logd)