Add sepolicy for logd and logcat services
The logd binder service is on logd side.
The logcat binder service is on system_server side.
These two binder services facilitate the binder RPC
between logd and system_server.
Bug: 197901557
Test: manual
Change-Id: I5f08bbb44a88dc72302331ab11c7d54f94db16ac
diff --git a/private/logd.te b/private/logd.te
index 7112c4f..62d4196 100644
--- a/private/logd.te
+++ b/private/logd.te
@@ -10,6 +10,8 @@
neverallow logd {
file_type
-runtime_event_log_tags_file
+ # shell_data_file access is needed to dump bugreports
+ -shell_data_file
userdebug_or_eng(`-coredump_file -misc_logd_file')
with_native_coverage(`-method_trace_data_file')
}:file { create write append };
@@ -39,3 +41,11 @@
userdebug_or_eng(`-su')
-system_app
} runtime_event_log_tags_file:file no_rw_file_perms;
+
+# Only binder communication between logd and system_server is allowed
+binder_use(logd)
+binder_service(logd)
+binder_call(logd, system_server)
+
+add_service(logd, logd_service)
+allow logd logcat_service:service_manager find;
diff --git a/private/service.te b/private/service.te
index 10461ec..7e33715 100644
--- a/private/service.te
+++ b/private/service.te
@@ -1,8 +1,11 @@
type attention_service, system_server_service, service_manager_type;
+type compos_internal_service, service_manager_type;
type compos_service, service_manager_type;
type dynamic_system_service, system_api_service, system_server_service, service_manager_type;
type gsi_service, service_manager_type;
type incidentcompanion_service, app_api_service, system_api_service, system_server_service, service_manager_type;
+type logcat_service, system_server_service, service_manager_type;
+type logd_service, service_manager_type;
type mediatuner_service, app_api_service, service_manager_type;
type profcollectd_service, service_manager_type;
type resolver_service, system_server_service, service_manager_type;
@@ -13,4 +16,3 @@
type statsmanager_service, system_api_service, system_server_service, service_manager_type;
type tracingproxy_service, system_server_service, service_manager_type;
type uce_service, service_manager_type;
-type compos_internal_service, service_manager_type;
diff --git a/private/service_contexts b/private/service_contexts
index bee400f..2e79abb 100644
--- a/private/service_contexts
+++ b/private/service_contexts
@@ -198,6 +198,8 @@
location u:object_r:location_service:s0
location_time_zone_manager u:object_r:location_time_zone_manager_service:s0
lock_settings u:object_r:lock_settings_service:s0
+logcat u:object_r:logcat_service:s0
+logd u:object_r:logd_service:s0
looper_stats u:object_r:looper_stats_service:s0
lpdump_service u:object_r:lpdump_service:s0
media.aaudio u:object_r:audioserver_service:s0
diff --git a/private/system_server.te b/private/system_server.te
index 68792e8..d2b4091 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -277,6 +277,7 @@
binder_call(system_server, storaged)
binder_call(system_server, update_engine)
binder_call(system_server, vold)
+binder_call(system_server, logd)
binder_call(system_server, wificond)
binder_call(system_server, wpantund)
binder_service(system_server)
@@ -881,6 +882,7 @@
allow system_server update_engine_service:service_manager find;
allow system_server vold_service:service_manager find;
allow system_server wifinl80211_service:service_manager find;
+allow system_server logd_service:service_manager find;
userdebug_or_eng(`
allow system_server profcollectd_service:service_manager find;
')