refine /data/misc/logd rules (cherry pick from commit 6937aa93ac0a36f19cb13b81a282dedcad324be5) Followup to 121f5bfd80298266d293fa5c0a30fed66f4facfa. Move misc_logd_file neverallow rule from domain.te to logd.te, since the goal of the neverallow rule is to protect logd / logpersist files from other processes. Switch the misc_logd_file neverallow rule from using "rw_file_perms" to "no_rw_file_perms". The latter covers more cases of file modifications. Add more neverallow rules covering misc_logd_file directories. Instead of using not_userdebug_nor_eng(), modify the rules to be consistent with other highly constrained file types such as keystore_data_file or vold_data_file. See, for example, https://android-review.googlesource.com/144768 To see the net effect of this change, you can use the following command line: sesearch --allow -t misc_logd_file -c file,dir,lnk_file \ out/target/product/bullhead/root/sepolicy Before this change: # userdebug builds allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name }; allow init misc_logd_file:file { setattr read create write relabelfrom getattr relabelto unlink open }; allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink }; allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name }; allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append }; allow shell misc_logd_file:dir { search read lock getattr ioctl open }; allow shell misc_logd_file:file { read lock ioctl open getattr }; # user builds allow init misc_logd_file:dir { search setattr read create getattr write relabelfrom ioctl rmdir remove_name relabelto open add_name }; allow init misc_logd_file:file relabelto; allow init misc_logd_file:lnk_file { setattr relabelfrom create getattr relabelto unlink }; After this change: # userdebug builds allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open }; allow init misc_logd_file:file { relabelto getattr }; allow init misc_logd_file:lnk_file relabelto; allow logd misc_logd_file:dir { search read lock getattr write ioctl remove_name open add_name }; allow logd misc_logd_file:file { rename setattr read lock create getattr write ioctl unlink open append }; allow shell misc_logd_file:dir { search read lock getattr ioctl open }; allow shell misc_logd_file:file { read lock ioctl open getattr }; # user builds allow init misc_logd_file:dir { search setattr read create getattr ioctl relabelto open }; allow init misc_logd_file:file { relabelto getattr }; allow init misc_logd_file:lnk_file relabelto; Change-Id: I0b00215049ad83182f458b4b9e258289c5144479 Bug: 27965066

commit: 8a8770cdac1e9f7f8866346d326bfb7ccc419f38 [log] [tgz]
author: Nick Kralevich <nnk@google.com> Sat Mar 26 07:43:38 2016 -0700
committer: Mark Salyzyn <salyzyn@google.com> Fri Apr 01 12:45:19 2016 -0700
tree: a3a7beb28232c48e962939458333d3da253f9e68
parent: a7a174a5dc419a65e6b3c1fcb94b02c5c3cc5798 [diff]
diff --git a/domain.te b/domain.te
index 2f6b435..d7333c5 100644
--- a/domain.te
+++ b/domain.te

@@ -512,9 +512,6 @@
 # only service_manager_types can be added to service_manager
 neverallow * ~service_manager_type:service_manager { add find };
 
-# logpersist is only allowed on userdebug/eng builds
-neverallow { domain userdebug_or_eng(`-logd -shell -init') } misc_logd_file:file rw_file_perms;
-
 # Prevent assigning non property types to properties
 neverallow * ~property_type:property_service set;
 

diff --git a/init.te b/init.te
index eb3dc88..c8b39eb 100644
--- a/init.te
+++ b/init.te

@@ -103,10 +103,10 @@
 # we just allow all file types except /system files here.
 allow init self:capability { chown fowner fsetid };
 allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file not_userdebug_nor_eng(`-misc_logd_file') }:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:dir { write add_name remove_name rmdir relabelfrom };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init { sysfs debugfs }:{ dir file lnk_file } { getattr relabelfrom };
 allow init { sysfs_type debugfs_type }:{ dir file lnk_file } relabelto;
@@ -180,6 +180,11 @@
   domain_auto_trans(init, logcat_exec, logd)
 ')
 
+# Init will create /data/misc/logd when the property persist.logd.logpersistd is "logcatd".
+# Init will also walk through the directory as part of a recursive restorecon.
+allow init misc_logd_file:dir { open create read getattr setattr search };
+allow init misc_logd_file:file { getattr };
+
 # Support "adb shell stop"
 allow init self:capability kill;
 allow init domain:process { sigkill signal };

diff --git a/logd.te b/logd.te
index 95a30ef..7254e53 100644
--- a/logd.te
+++ b/logd.te

@@ -57,6 +57,11 @@
 # Write to files in /data/data or system files on /data
 neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
 
-# logd is not allowed to write anywhere other than /misc/data/logd, and then
+# logd is not allowed to write anywhere other than /data/misc/logd, and then
 # only on userdebug or eng builds
-neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file write;
+neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file { create write append };
+
+# logpersist is only allowed on userdebug/eng builds
+neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file no_rw_file_perms;
+neverallow { domain userdebug_or_eng(`-logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
+neverallow { domain -init } misc_logd_file:dir create;

diff --git a/te_macros b/te_macros
index c97cd2d..4d18973 100644
--- a/te_macros
+++ b/te_macros

@@ -299,7 +299,6 @@
 # SELinux rules which apply only to userdebug or eng builds
 #
 define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1)))
-define(`not_userdebug_nor_eng', ifelse(target_build_variant, `eng', , ifelse(target_build_variant, `userdebug', , $1)))
 define(`eng', ifelse(target_build_variant, `eng', $1))
 
 #####################################
commit	8a8770cdac1e9f7f8866346d326bfb7ccc419f38	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Sat Mar 26 07:43:38 2016 -0700
committer	Mark Salyzyn <salyzyn@google.com>	Fri Apr 01 12:45:19 2016 -0700
tree	a3a7beb28232c48e962939458333d3da253f9e68
parent	a7a174a5dc419a65e6b3c1fcb94b02c5c3cc5798 [diff]