commit 4eb5660c52a5966374c9d810550e3ae0069bd50f
author Inseob Kim <inseob@google.com> Fri Jul 09 15:51:12 2021 +0900
committer Inseob Kim <inseob@google.com> Tue Jul 13 14:06:58 2021 +0900
tree 11a87447d96b7949e5da2a64cd76aa1271f897b1
parent 32ea89af9e9846a9865d85389bed271423b173a7

Leave minimal sepolicy for microdroid

Steps taken:

1) Grab remaining types in contexts files.
2) Leave such types and remove all other types.
3) Set attributes, according to system/etc/selinux/plat_sepolicy.cil.
4) Repeat booting and adding missing types, rules, and attributes.
5) Organize types and allow rules.

Bug: 191131624
Test: atest MicrodroidHostTestCases
Change-Id: I1302701f67e61795474c667e8e6094d67912eea0

microdroid/sepolicy/system/public/logd.te

diff --git a/microdroid/sepolicy/system/public/logd.te b/microdroid/sepolicy/system/public/logd.te
index 8187179..67f601c 100644
--- a/microdroid/sepolicy/system/public/logd.te
+++ b/microdroid/sepolicy/system/public/logd.te
@@ -1,74 +1,2 @@
-# android user-space log manager
-type logd, domain, mlstrustedsubject;
-type logd_exec, system_file_type, exec_type, file_type;
-
-# Read access to pseudo filesystems.
-r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
-r_dir_file(logd, proc_kmsg)
-r_dir_file(logd, proc_meminfo)
-
-allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
-allow logd self:global_capability2_class_set syslog;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kernel:system syslog_read;
-allow logd kmsg_device:chr_file { getattr w_file_perms };
-allow logd system_data_file:{ file lnk_file } r_file_perms;
-allow logd packages_list_file:file r_file_perms;
-allow logd pstorefs:dir search;
-allow logd pstorefs:file r_file_perms;
-userdebug_or_eng(`
-  # Access to /data/misc/logd/event-log-tags
-  allow logd misc_logd_file:dir r_dir_perms;
-  allow logd misc_logd_file:file rw_file_perms;
-')
-allow logd runtime_event_log_tags_file:file rw_file_perms;
-
-r_dir_file(logd, domain)
-
-allow logd kernel:system syslog_mod;
-
-control_logd(logd)
-read_runtime_log_tags(logd)
-
-allow runtime_event_log_tags_file tmpfs:filesystem associate;
-# Typically harmlessly blindly trying to access via liblog
-# event tag mapping while in the untrusted_app domain.
-# Access for that domain is controlled and gated via the
-# event log tag service (albeit at a performance penalty,
-# expected to be locally cached).
-dontaudit domain runtime_event_log_tags_file:file { map open read };
-
-# Logd sets defaults if certain properties are empty.
-set_prop(logd, logd_prop)
-
-###
-### Neverallow rules
-###
-### logd should NEVER do any of this
-
-# Block device access.
-neverallow logd dev_type:blk_file { read write };
-
-# ptrace any other app
-neverallow logd domain:process ptrace;
-
-# ... and nobody may ptrace me (except on userdebug or eng builds)
-neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace;
-
-# Write to /system.
-neverallow logd system_file:dir_file_class_set write;
-
-# Write to files in /data/data or system files on /data
-neverallow logd { app_data_file privapp_data_file system_data_file packages_list_file }:dir_file_class_set write;
-
-# Only init is allowed to enter the logd domain via exec()
-neverallow { domain -init } logd:process transition;
-neverallow * logd:process dyntransition;
-
-# protect the event-log-tags file
-neverallow {
-  domain
-  -init
-  -logd
-} runtime_event_log_tags_file:file no_w_file_perms;
+type logd, domain;
+type logd_exec, file_type, exec_type, system_file_type;