| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame^] | 1 | typeattribute logd coredomain; |
| 2 | |
| 3 | init_daemon_domain(logd) |
| 4 | |
| 5 | # Access device logging gating property |
| 6 | get_prop(logd, device_logging_prop) |
| 7 | |
| 8 | # logd is not allowed to write anywhere other than /data/misc/logd, and then |
| 9 | # only on userdebug or eng builds |
| 10 | neverallow logd { |
| 11 | file_type |
| 12 | -runtime_event_log_tags_file |
| 13 | userdebug_or_eng(`-coredump_file -misc_logd_file') |
| 14 | with_native_coverage(`-method_trace_data_file') |
| 15 | }:file { create write append }; |
| 16 | |
| 17 | # protect the event-log-tags file |
| 18 | neverallow { |
| 19 | domain |
| 20 | -appdomain # covered below |
| 21 | -bootstat |
| 22 | -dumpstate |
| 23 | -init |
| 24 | -logd |
| 25 | userdebug_or_eng(`-logpersist') |
| 26 | -servicemanager |
| 27 | -system_server |
| 28 | -surfaceflinger |
| 29 | -zygote |
| 30 | } runtime_event_log_tags_file:file no_rw_file_perms; |
| 31 | |
| 32 | neverallow { |
| 33 | appdomain |
| 34 | -bluetooth |
| 35 | -platform_app |
| 36 | -priv_app |
| 37 | -radio |
| 38 | -shell |
| 39 | userdebug_or_eng(`-su') |
| 40 | -system_app |
| 41 | } runtime_event_log_tags_file:file no_rw_file_perms; |