| Dan Cashman | 8058248 | 2017-12-06 09:20:27 -0800 | [diff] [blame] | 1 | typeattribute logd coredomain; |
| 2 | |
| 3 | init_daemon_domain(logd) |
| 4 | |
| 5 | # logd is not allowed to write anywhere other than /data/misc/logd, and then |
| 6 | # only on userdebug or eng builds |
| 7 | # TODO: deal with tmpfs_domain pub/priv split properly |
| 8 | neverallow logd { |
| 9 | file_type |
| 10 | -logd_tmpfs |
| 11 | -runtime_event_log_tags_file |
| 12 | userdebug_or_eng(`-coredump_file -misc_logd_file') |
| 13 | }:file { create write append }; |
| 14 | |
| 15 | # protect the event-log-tags file |
| 16 | neverallow { |
| 17 | domain |
| 18 | -appdomain # covered below |
| 19 | -bootstat |
| 20 | -dumpstate |
| 21 | -init |
| 22 | -logd |
| 23 | userdebug_or_eng(`-logpersist') |
| 24 | -servicemanager |
| 25 | -system_server |
| 26 | -surfaceflinger |
| 27 | -zygote |
| 28 | } runtime_event_log_tags_file:file no_rw_file_perms; |
| 29 | |
| 30 | neverallow { |
| 31 | appdomain |
| 32 | -bluetooth |
| 33 | -platform_app |
| 34 | -priv_app |
| 35 | -radio |
| 36 | -shell |
| 37 | userdebug_or_eng(`-su') |
| 38 | -system_app |
| 39 | } runtime_event_log_tags_file:file no_rw_file_perms; |