Merge "sepolicy : Updating error message with doc link"
diff --git a/microdroid/system/private/crash_dump.te b/microdroid/system/private/crash_dump.te
index 61dfa0b..8dcb4b1 100644
--- a/microdroid/system/private/crash_dump.te
+++ b/microdroid/system/private/crash_dump.te
@@ -28,10 +28,6 @@
# Append to tombstone files.
allow crash_dump tombstone_data_file:file { append getattr };
-# crash_dump writes out logcat logs at the bottom of tombstones,
-# which is super useful in some cases.
-unix_socket_connect(crash_dump, logdr, logd)
-
# Crash dump is not intended to access the following files. Since these
# are WAI, suppress the denials to clean up the logs.
dontaudit crash_dump {
@@ -56,7 +52,6 @@
-crash_dump
-init
-kernel
- -logd
-no_crash_dump_domain
-ueventd
-vendor_init
@@ -65,7 +60,6 @@
userdebug_or_eng(`
allow crash_dump {
apexd
- logd
}:process { ptrace signal sigchld sigstop sigkill };
')
diff --git a/microdroid/system/private/domain.te b/microdroid/system/private/domain.te
index 4c1baf5..7b8b037 100644
--- a/microdroid/system/private/domain.te
+++ b/microdroid/system/private/domain.te
@@ -73,8 +73,9 @@
allow domain init:key search;
-# logd access
-unix_socket_send(domain, logdw, logd)
+# Everyone can send log and read ro.log.file_logger.* properties
+allow domain log_device:chr_file ra_file_perms;
+get_prop(domain, log_prop)
# Directory/link file access for path resolution.
allow domain {
@@ -228,7 +229,6 @@
get_prop(domain, init_service_status_prop)
get_prop(domain, libc_debug_prop)
get_prop(domain, log_tag_prop)
-get_prop(domain, logd_prop)
get_prop(domain, property_service_version_prop)
allow domain linkerconfig_file:dir search;
diff --git a/microdroid/system/private/file_contexts b/microdroid/system/private/file_contexts
index cd1961f..152063c 100644
--- a/microdroid/system/private/file_contexts
+++ b/microdroid/system/private/file_contexts
@@ -53,7 +53,7 @@
/dev/fuse u:object_r:fuse_device:s0
/dev/hvc0 u:object_r:serial_device:s0
/dev/hvc1 u:object_r:serial_device:s0
-/dev/hvc2 u:object_r:serial_device:s0
+/dev/hvc2 u:object_r:log_device:s0
/dev/hw_random u:object_r:hw_random_device:s0
/dev/hwbinder u:object_r:hwbinder_device:s0
/dev/loop-control u:object_r:loop_control_device:s0
@@ -68,9 +68,6 @@
/dev/rtc[0-9] u:object_r:rtc_device:s0
/dev/socket(/.*)? u:object_r:socket_device:s0
/dev/socket/adbd u:object_r:adbd_socket:s0
-/dev/socket/logd u:object_r:logd_socket:s0
-/dev/socket/logdr u:object_r:logdr_socket:s0
-/dev/socket/logdw u:object_r:logdw_socket:s0
/dev/socket/property_service u:object_r:property_socket:s0
/dev/socket/statsdw u:object_r:statsdw_socket:s0
/dev/socket/tombstoned_crash u:object_r:tombstoned_crash_socket:s0
diff --git a/microdroid/system/private/logcat.te b/microdroid/system/private/logcat.te
deleted file mode 100644
index a5b59fb..0000000
--- a/microdroid/system/private/logcat.te
+++ /dev/null
@@ -1,22 +0,0 @@
-# logcat in Microdroid runs as a daemon process. It reads logs from logd and
-# emits the logs to the virtual serial console.
-typeattribute logcat coredomain;
-
-# logcat can be executed from init
-init_daemon_domain(logcat)
-
-# logcat can append to the virtual console devices
-allow logcat device:dir r_dir_perms;
-allow logcat serial_device:chr_file ra_file_perms;
-
-# logcat can get logs from logd
-read_logd(logcat)
-
-# Allow logcat to read ro.logd.ready so that it waits until logd is ready to
-# accept commands
-get_prop(logcat, logd_prop)
-
-allow logcat self:global_capability_class_set { sys_nice };
-
-# logcat uses bootstrap to be run before apexd
-use_bootstrap_libs(logcat)
diff --git a/microdroid/system/private/logd.te b/microdroid/system/private/logd.te
deleted file mode 100644
index 5381212..0000000
--- a/microdroid/system/private/logd.te
+++ /dev/null
@@ -1,47 +0,0 @@
-typeattribute logd coredomain;
-
-init_daemon_domain(logd)
-
-allow logd adbd:dir search;
-allow logd adbd:file { getattr open read };
-allow logd device:dir search;
-allow logd init:dir search;
-allow logd init:fd use;
-allow logd init:file { getattr open read };
-allow logd kernel:dir search;
-allow logd kernel:file { getattr open read };
-allow logd kernel:system { syslog_mod syslog_read };
-allow logd linkerconfig_file:dir search;
-allow logd microdroid_manager:dir search;
-allow logd microdroid_manager:file { getattr open read };
-allow logd null_device:chr_file { open read };
-#allow logd proc_kmsg:file read;
-r_dir_file(logd, cgroup)
-r_dir_file(logd, cgroup_v2)
-r_dir_file(logd, proc_kmsg)
-r_dir_file(logd, proc_meminfo)
-allow logd self:fifo_file { read write };
-allow logd self:file { getattr open read };
-allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control };
-allow logd self:global_capability2_class_set syslog;
-#allow logd self:netlink_audit_socket getopt;
-allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write };
-allow logd kmsg_device:chr_file { getattr w_file_perms };
-r_dir_file(logd, domain)
-allow logd self:unix_stream_socket { accept getopt setopt shutdown };
-allow logd servicemanager:dir search;
-allow logd servicemanager:file { open read };
-allow logd tombstoned:dir search;
-allow logd tombstoned:file { getattr open read };
-allow logd ueventd:dir search;
-allow logd ueventd:file { getattr open read };
-control_logd(logd)
-read_runtime_log_tags(logd)
-
-# Logd sets defaults if certain properties are empty.
-set_prop(logd, logd_prop)
-
-# logd uses bootstrap to be run before apexd
-use_bootstrap_libs(logd)
-
-dontaudit domain runtime_event_log_tags_file:file { map open read };
diff --git a/microdroid/system/private/property_contexts b/microdroid/system/private/property_contexts
index 89609b9..569a0fe 100644
--- a/microdroid/system/private/property_contexts
+++ b/microdroid/system/private/property_contexts
@@ -40,9 +40,6 @@
service.adb.root u:object_r:shell_prop:s0 exact bool
-ro.logd.kernel u:object_r:logd_prop:s0 exact bool
-logd.ready u:object_r:logd_prop:s0 exact bool
-
dev.bootcomplete u:object_r:boot_status_prop:s0 exact bool
ro.config.low_ram u:object_r:build_prop:s0 exact bool
@@ -56,8 +53,6 @@
ro.boottime.init.first_stage u:object_r:boottime_prop:s0 exact int
ro.boottime.init.modules u:object_r:boottime_prop:s0 exact int
ro.boottime.init.selinux u:object_r:boottime_prop:s0 exact int
-ro.boottime.logd u:object_r:boottime_prop:s0 exact int
-ro.boottime.logd-reinit u:object_r:boottime_prop:s0 exact int
ro.boottime.microdroid_manager u:object_r:boottime_prop:s0 exact int
ro.boottime.servicemanager u:object_r:boottime_prop:s0 exact int
ro.boottime.tombstoned u:object_r:boottime_prop:s0 exact int
@@ -77,8 +72,6 @@
init.svc.apexd-vm u:object_r:init_service_status_private_prop:s0 exact string
init.svc.apkdmverity u:object_r:init_service_status_private_prop:s0 exact string
init.svc.authfs_service u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd u:object_r:init_service_status_private_prop:s0 exact string
-init.svc.logd-reinit u:object_r:init_service_status_private_prop:s0 exact string
init.svc.microdroid_manager u:object_r:init_service_status_private_prop:s0 exact string
init.svc.servicemanager u:object_r:init_service_status_private_prop:s0 exact string
init.svc.ueventd u:object_r:init_service_status_private_prop:s0 exact string
@@ -93,7 +86,6 @@
ro.boot.first_stage_console u:object_r:bootloader_prop:s0 exact string
ro.boot.force_normal_boot u:object_r:bootloader_prop:s0 exact string
ro.boot.hardware u:object_r:bootloader_prop:s0 exact string
-ro.boot.logd.enabled u:object_r:bootloader_prop:s0 exact bool
ro.boot.microdroid.app_debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.microdroid.debuggable u:object_r:bootloader_prop:s0 exact bool
ro.boot.slot_suffix u:object_r:bootloader_prop:s0 exact string
@@ -141,6 +133,8 @@
persist.adb.wifi.guid u:object_r:adbd_prop:s0 exact string
+ro.log.file_logger.path u:object_r:log_prop:s0 exact string
+
log.tag u:object_r:log_tag_prop:s0 prefix
persist.log.tag u:object_r:log_tag_prop:s0 prefix
diff --git a/microdroid/system/public/device.te b/microdroid/system/public/device.te
index f99084c..27efdc4 100644
--- a/microdroid/system/public/device.te
+++ b/microdroid/system/public/device.te
@@ -29,6 +29,7 @@
type random_device, dev_type;
type rtc_device, dev_type;
type serial_device, dev_type;
+type log_device, dev_type;
type socket_device, dev_type;
type tty_device, dev_type;
type tun_device, dev_type;
diff --git a/microdroid/system/public/file.te b/microdroid/system/public/file.te
index 57be060..47d29aa 100644
--- a/microdroid/system/public/file.te
+++ b/microdroid/system/public/file.te
@@ -11,9 +11,6 @@
type extra_apk_file, file_type;
type file_contexts_file, file_type, system_file_type;
type linkerconfig_file, file_type;
-type logd_socket, file_type, coredomain_socket;
-type logdr_socket, file_type, coredomain_socket;
-type logdw_socket, file_type, coredomain_socket;
type nativetest_data_file, file_type, data_file_type, core_data_file_type;
type property_contexts_file, file_type, system_file_type;
type property_socket, file_type, coredomain_socket;
diff --git a/microdroid/system/public/logcat.te b/microdroid/system/public/logcat.te
deleted file mode 100644
index cf2bb7e..0000000
--- a/microdroid/system/public/logcat.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type logcat, domain;
-type logcat_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/logd.te b/microdroid/system/public/logd.te
deleted file mode 100644
index 67f601c..0000000
--- a/microdroid/system/public/logd.te
+++ /dev/null
@@ -1,2 +0,0 @@
-type logd, domain;
-type logd_exec, file_type, exec_type, system_file_type;
diff --git a/microdroid/system/public/property.te b/microdroid/system/public/property.te
index a04fc19..9363d9b 100644
--- a/microdroid/system/public/property.te
+++ b/microdroid/system/public/property.te
@@ -36,8 +36,8 @@
type init_service_status_prop, property_type;
type init_svc_debug_prop, property_type;
type libc_debug_prop, property_type;
+type log_prop, property_type;
type log_tag_prop, property_type;
-type logd_prop, property_type;
type microdroid_manager_roothash_prop, property_type;
type property_service_version_prop, property_type;
type shell_prop, property_type;
diff --git a/microdroid/system/public/shell.te b/microdroid/system/public/shell.te
index 00c2d0b..bde9cd9 100644
--- a/microdroid/system/public/shell.te
+++ b/microdroid/system/public/shell.te
@@ -5,10 +5,6 @@
# Create and use network sockets.
net_domain(shell)
-# logcat
-read_logd(shell)
-control_logd(shell)
-
# Root fs.
allow shell rootfs:dir r_dir_perms;
diff --git a/microdroid/system/public/statsd.te b/microdroid/system/public/statsd.te
index ea8ffa0..495d3f4 100644
--- a/microdroid/system/public/statsd.te
+++ b/microdroid/system/public/statsd.te
@@ -15,10 +15,6 @@
allow statsd system_file:file execute_no_trans;
allow statsd toolbox_exec:file rx_file_perms;
-# Allow logd access.
-read_logd(statsd)
-control_logd(statsd)
-
# Allow 'adb shell cmd' to upload configs and download output.
allow statsd adbd:fd use;
allow statsd adbd:unix_stream_socket { getattr read write };
diff --git a/microdroid/system/public/te_macros b/microdroid/system/public/te_macros
index 6db0d70..60332bd 100644
--- a/microdroid/system/public/te_macros
+++ b/microdroid/system/public/te_macros
@@ -590,41 +590,6 @@
define(`with_dexpreopt', ifelse(target_with_dexpreopt, `true', $1))
#####################################
-# write_logd(domain)
-# Ability to write to android log
-# daemon via sockets
-define(`write_logd', `
-unix_socket_send($1, logdw, logd)
-allow $1 pmsg_device:chr_file w_file_perms;
-')
-
-#####################################
-# read_logd(domain)
-# Ability to run logcat and read from android
-# log daemon via sockets
-define(`read_logd', `
-allow $1 logcat_exec:file rx_file_perms;
-unix_socket_connect($1, logdr, logd)
-')
-
-#####################################
-# read_runtime_log_tags(domain)
-# ability to directly map the runtime event log tags
-define(`read_runtime_log_tags', `
-allow $1 runtime_event_log_tags_file:file r_file_perms;
-')
-
-#####################################
-# control_logd(domain)
-# Ability to control
-# android log daemon via sockets
-define(`control_logd', `
-# Group AID_LOG checked by filesystem & logd
-# to permit control commands
-unix_socket_connect($1, logd, logd)
-')
-
-#####################################
# use_keystore(domain)
# Ability to use keystore.
# Keystore is requires the following permissions
diff --git a/private/domain.te b/private/domain.te
index c585613..3d59a27 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -117,6 +117,10 @@
# Allow all processes to check for the existence of the boringssl_self_test_marker files.
allow domain boringssl_self_test_marker:dir search;
+# Allow all processes to read the file_logger property that liblog uses to check if file_logger
+# should be used.
+get_prop(domain, log_file_logger_prop)
+
# No domains other than a select few can access the misc_block_device. This
# block device is reserved for OTA use.
# Do not assert this rule on userdebug/eng builds, due to some devices using
diff --git a/private/property.te b/private/property.te
index bb49742..805b70d 100644
--- a/private/property.te
+++ b/private/property.te
@@ -51,6 +51,7 @@
# Properties which can't be written outside system
system_restricted_prop(device_config_virtualization_framework_native_prop)
+system_restricted_prop(log_file_logger_prop)
###
### Neverallow rules
@@ -672,3 +673,7 @@
-profcollectd
} profcollectd_node_id_prop:file r_file_perms;
+neverallow {
+ domain
+ -init
+} log_file_logger_prop:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index c76fe09..a67ea73 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -43,6 +43,7 @@
log. u:object_r:log_prop:s0
log.tag u:object_r:log_tag_prop:s0
log.tag.WifiHAL u:object_r:wifi_log_prop:s0
+ro.log.file_logger.path u:object_r:log_file_logger_prop:s0 exact string
security.perf_harden u:object_r:shell_prop:s0
persist.simpleperf.profile_app_uid u:object_r:shell_prop:s0
persist.simpleperf.profile_app_expiration_time u:object_r:shell_prop:s0
@@ -559,6 +560,8 @@
bluetooth.core.le.connection_scan_window_coded_fast u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_scan_interval_slow u:object_r:bluetooth_config_prop:s0 exact uint
bluetooth.core.le.connection_scan_window_slow u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.inquiry_scan_interval u:object_r:bluetooth_config_prop:s0 exact uint
+bluetooth.core.le.inquiry_scan_window u:object_r:bluetooth_config_prop:s0 exact uint
persist.nfc.debug_enabled u:object_r:nfc_prop:s0 exact bool