Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / c4f84bcb379aace2d19f3bcaf3c896bd82d700c6^! / . / private
commitc4f84bcb379aace2d19f3bcaf3c896bd82d700c6[log] [tgz]
authorJiyong Park <jiyong@google.com>Sun Sep 18 23:09:53 2022 +0900
committerJiyong Park <jiyong@google.com>Sun Sep 18 23:39:41 2022 +0900
treec984d447d815016d7ea9a71ed7a812c78b41bb3f
parent7c4f837e4038870c9613c0cee76c8559d2534944 [diff]
Don't let ro.log.file_logger.path to be set

ro.log.file_logger.path is a system property that liblog uses to
determine if file_logger should be used (instead of logd) and what file
the logs should be emitted to. It is primarily meant for non-Android
environment like Microdroid, and doesn't need to be set in Android. In
fact, setting it to a wrong value can break the system logging
functionality. This change prevents such a problem by assigning a
dedicated property context (log_file_logger_prop) to the property and
making it non-writable. (Note that it still has to be readable because
liblog reads it and liblog can be loaded in any process)

Bug: 222592894
Test: try to set ro.log.file_logger.path

Change-Id: Ic6b527327f5bd4ca70a58b6e45f7be382e093318

diff --git a/private/domain.te b/private/domain.te
index c585613..3d59a27 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -117,6 +117,10 @@
 # Allow all processes to check for the existence of the boringssl_self_test_marker files.
 allow domain boringssl_self_test_marker:dir search;
 
+# Allow all processes to read the file_logger property that liblog uses to check if file_logger
+# should be used.
+get_prop(domain, log_file_logger_prop)
+
 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.
 # Do not assert this rule on userdebug/eng builds, due to some devices using

diff --git a/private/property.te b/private/property.te
index bb49742..805b70d 100644
--- a/private/property.te
+++ b/private/property.te

@@ -51,6 +51,7 @@
 
 # Properties which can't be written outside system
 system_restricted_prop(device_config_virtualization_framework_native_prop)
+system_restricted_prop(log_file_logger_prop)
 
 ###
 ### Neverallow rules
@@ -672,3 +673,7 @@
   -profcollectd
 } profcollectd_node_id_prop:file r_file_perms;
 
+neverallow {
+  domain
+  -init
+} log_file_logger_prop:property_service set;

diff --git a/private/property_contexts b/private/property_contexts
index f55e99b..a67ea73 100644
--- a/private/property_contexts
+++ b/private/property_contexts

@@ -43,7 +43,7 @@
 log.                    u:object_r:log_prop:s0
 log.tag                 u:object_r:log_tag_prop:s0
 log.tag.WifiHAL         u:object_r:wifi_log_prop:s0
-ro.log.file_logger.path    u:object_r:log_prop:s0 exact string
+ro.log.file_logger.path    u:object_r:log_file_logger_prop:s0 exact string
 security.perf_harden    u:object_r:shell_prop:s0
 persist.simpleperf.profile_app_uid              u:object_r:shell_prop:s0
 persist.simpleperf.profile_app_expiration_time  u:object_r:shell_prop:s0