Blame - private/logpersist.te - android_system_sepolicy

blob: 34022d64cc5446ace50f8ca35ce817f1b6764e73 [file] [log] [blame]

Alex Klyubin	f5446eb	2017-03-23 14:27:32 -0700	[diff] [blame]	1	typeattribute logpersist coredomain;
				2
Mark Salyzyn	da62cb4	2016-08-10 11:10:02 -0700	[diff] [blame]	3	# android debug log storage in logpersist domains (eng and userdebug only)
				4	userdebug_or_eng(`
				5
				6	r_dir_file(logpersist, cgroup)
Marco Ballesio	aa4ce95	2021-02-11 15:18:11 -0800	[diff] [blame]	7	r_dir_file(logpersist, cgroup_v2)
Mark Salyzyn	da62cb4	2016-08-10 11:10:02 -0700	[diff] [blame]	8
				9	allow logpersist misc_logd_file:file create_file_perms;
				10	allow logpersist misc_logd_file:dir rw_dir_perms;
				11
Benjamin Gordon	9b2e0cb	2017-11-09 15:51:26 -0700	[diff] [blame]	12	allow logpersist self:global_capability_class_set sys_nice;
Mark Salyzyn	da62cb4	2016-08-10 11:10:02 -0700	[diff] [blame]	13	allow logpersist pstorefs:dir search;
				14	allow logpersist pstorefs:file r_file_perms;
				15
				16	control_logd(logpersist)
				17	unix_socket_connect(logpersist, logdr, logd)
Jiyong Park	ff30483	2021-11-22 14:18:03 +0900	[diff] [blame]	18	get_prop(logpersist, logd_prop)
Mark Salyzyn	d33a9a1	2016-11-07 15:11:39 -0800	[diff] [blame]	19	read_runtime_log_tags(logpersist)
Mark Salyzyn	da62cb4	2016-08-10 11:10:02 -0700	[diff] [blame]	20
				21	')
				22
Inseob Kim	75806ef	2024-03-27 17:18:41 +0900	[diff] [blame^]	23	# logcatd is a shell script that execs logcat with various parameters.
				24	allow logpersist shell_exec:file rx_file_perms;
				25	allow logpersist logcat_exec:file rx_file_perms;
				26
				27	allowxperm logpersist misc_logd_file:file ioctl {
				28	F2FS_IOC_RELEASE_COMPRESS_BLOCKS
				29	FS_IOC_SETFLAGS
				30	};
				31
				32	###
				33	### Neverallow rules
				34	###
				35	### logpersist should NEVER do any of this
				36
				37	# Block device access.
				38	neverallow logpersist dev_type:blk_file { read write };
				39
				40	# ptrace any other app
				41	neverallow logpersist domain:process ptrace;
				42
				43	# Write to files in /data/data or system files on /data except misc_logd_file
				44	neverallow logpersist { app_data_file_type system_data_file }:dir_file_class_set write;
				45
				46	# Only init should be allowed to enter the logpersist domain via exec()
				47	# Following is a list of debug domains we know that transition to logpersist
				48	# neverallow_with_undefined_domains {
				49	# domain
				50	# -init # goldfish, logcatd, raft
				51	# -mmi # bat, mtp8996, msmcobalt
				52	# -system_app # Smith.apk
				53	# } logpersist:process transition;
				54	neverallow * logpersist:process dyntransition;
				55
Mark Salyzyn	da62cb4	2016-08-10 11:10:02 -0700	[diff] [blame]	56	# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
Pirama Arumuga Nainar	ce9c0c5	2019-06-13 15:05:15 -0700	[diff] [blame]	57	neverallow logpersist {
				58	file_type
				59	userdebug_or_eng(`-misc_logd_file -coredump_file')
				60	with_native_coverage(`-method_trace_data_file')
				61	}:file { create write append };
Mike Ma	08f494d	2020-01-17 19:00:16 -0800	[diff] [blame]	62	neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms;
Tom Cherry	77f8d4f	2019-07-08 13:17:03 -0700	[diff] [blame]	63	neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms;
Mark Salyzyn	384ce66	2016-09-13 09:33:35 -0700	[diff] [blame]	64	neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };