Enforce no persistent logging on user builds
For userdebug and eng builds enforce that:
- only logd and shell domains may access logd files
- logd is only allowed to write to /data/misc/logd
Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a
diff --git a/domain.te b/domain.te
index bfbceab..e0fc817 100644
--- a/domain.te
+++ b/domain.te
@@ -533,3 +533,6 @@
# only service_manager_types can be added to service_manager
neverallow domain ~service_manager_type:service_manager { add find };
+
+# logpersist is only allowed on userdebug/eng builds
+neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file rw_file_perms;
diff --git a/init.te b/init.te
index 6b57098..1f33a97 100644
--- a/init.te
+++ b/init.te
@@ -98,7 +98,7 @@
allow init self:capability { chown fowner fsetid };
allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
diff --git a/logd.te b/logd.te
index b0d978f..56d0d2a 100644
--- a/logd.te
+++ b/logd.te
@@ -10,8 +10,11 @@
allow logd kernel:system syslog_read;
allow logd kmsg_device:chr_file w_file_perms;
allow logd system_data_file:file r_file_perms;
-allow logd misc_logd_file:file create_file_perms;
-allow logd misc_logd_file:dir rw_dir_perms;
+# logpersist is only allowed on userdebug and eng builds
+userdebug_or_eng(`
+ allow logd misc_logd_file:file create_file_perms;
+ allow logd misc_logd_file:dir rw_dir_perms;
+')
allow logd pstorefs:dir search;
allow logd pstorefs:file r_file_perms;
@@ -42,3 +45,7 @@
# Write to files in /data/data or system files on /data
neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
+
+# logd is not allowed to write anywhere other than /misc/data/logd, and then
+# only on userdebug or eng builds
+neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file write;
diff --git a/shell.te b/shell.te
index 84e1802..893403a 100644
--- a/shell.te
+++ b/shell.te
@@ -16,8 +16,10 @@
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;
# logpersistd (nee logcatd) files
-allow shell misc_logd_file:dir r_dir_perms;
-allow shell misc_logd_file:file r_file_perms;
+userdebug_or_eng(`
+ allow shell misc_logd_file:dir r_dir_perms;
+ allow shell misc_logd_file:file r_file_perms;
+')
# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;