Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 77ec892be6b59e2808cc4c3472bf179d33851ebe^! / .
commit77ec892be6b59e2808cc4c3472bf179d33851ebe[log] [tgz]
authorAlex Klyubin <klyubin@google.com>Thu May 09 12:39:32 2013 -0700
committerAlex Klyubin <klyubin@google.com>Thu May 09 12:39:32 2013 -0700
treeaa228c00da8dc8b1707648b6349f83208f3254af
parent5d54d483a0f2907e0e32c798c908a4cea4a426eb [diff]
SELinux policy for users of libcutils klog_write.

klog_write/init create /dev/__kmsg__ backed by a kernel character
device, keep the file descriptor, and then immediately unlink the
file.

Change-Id: I729d224347a003eaca29299d216a53c99cc3197c

diff --git a/device.te b/device.te
index d55258a..8882d99 100644
--- a/device.te
+++ b/device.te

@@ -49,6 +49,7 @@
 type tun_device, dev_type, mlstrustedobject;
 type usbaccessory_device, dev_type;
 type usb_device, dev_type;
+type klog_device, dev_type;
 type properties_device, dev_type;
 
 # All devices have a uart for the hci

diff --git a/file_contexts b/file_contexts
index 15f9f59..19491f9 100644
--- a/file_contexts
+++ b/file_contexts

@@ -114,6 +114,7 @@
 /dev/watchdog		u:object_r:watchdog_device:s0
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
+/dev/__kmsg__		u:object_r:klog_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
 #############################
 # System files

diff --git a/te_macros b/te_macros
index 86a3a5b..6e6b0a4 100644
--- a/te_macros
+++ b/te_macros

@@ -284,3 +284,14 @@
 define(`access_kmsg', `
 allow $1 kernel:system syslog_read;
 ')
+
+#####################################
+# write_klog(domain)
+# Ability to write to kernel log via
+# klog_write()
+# See system/core/libcutil/klog.c
+define(`write_klog', `
+type_transition $1 device:chr_file klog_device "__kmsg__";
+allow $1 klog_device:chr_file { create open write unlink };
+allow $1 device:dir { add_name remove_name };
+')

diff --git a/ueventd.te b/ueventd.te
index 9023173..fa03acf 100644
--- a/ueventd.te
+++ b/ueventd.te

@@ -2,6 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 tmpfs_domain(ueventd)
+write_klog(ueventd)
 security_access_policy(ueventd)
 allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;

diff --git a/vold.te b/vold.te
index 95865fb..26532c1 100644
--- a/vold.te
+++ b/vold.te

@@ -32,6 +32,8 @@
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
 
+write_klog(vold)
+
 #
 # Rules to support encrypted fs support.
 #