From 08f494d200f6c438ec2cb6b125ac5f5de9402f97 Mon Sep 17 00:00:00 2001 From: Mike Ma Date: Fri, 17 Jan 2020 19:00:16 -0800 Subject: [PATCH] Allow incidentd to parse persisted log Allow incidentd to run incident-helper-cmd, a Java program spawn by app_process. Allow incidentd to read /data/misc/logd and its files on userdebug and eng build. Bug: 147924172 Test: Build, flash and verify "adb shell incident -p EXPLICIT 1116" can parse persisted logs. Change-Id: Id0aa4286c304a336741ce8c0949b12ec559c2e16 --- private/incidentd.te | 8 ++++++++ private/logpersist.te | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/private/incidentd.te b/private/incidentd.te index b806f6e69..45499fc03 100644 --- a/private/incidentd.te +++ b/private/incidentd.te @@ -128,10 +128,18 @@ unix_socket_connect(incidentd, tombstoned_intercept, tombstoned) # Run a shell. allow incidentd shell_exec:file rx_file_perms; +# For running am, incident-helper-cmd and similar framework commands. +# Run /system/bin/app_process. +allow incidentd zygote_exec:file { rx_file_perms }; + # logd access - work to be done is a PII safe log (possibly an event log?) userdebug_or_eng(`read_logd(incidentd)') # TODO control_logd(incidentd) +# Access /data/misc/logd +allow incidentd misc_logd_file:dir r_dir_perms; +allow incidentd misc_logd_file:file r_file_perms; + # Allow incidentd to find these standard groups of services. # Others can be whitelisted individually. allow incidentd { diff --git a/private/logpersist.te b/private/logpersist.te index 6f6ab5056..ac324df88 100644 --- a/private/logpersist.te +++ b/private/logpersist.te @@ -24,6 +24,6 @@ neverallow logpersist { userdebug_or_eng(`-misc_logd_file -coredump_file') with_native_coverage(`-method_trace_data_file') }:file { create write append }; -neverallow { domain -init -dumpstate userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms; +neverallow { domain -init -dumpstate -incidentd userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_rw_file_perms; neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:file no_w_file_perms; neverallow { domain -init userdebug_or_eng(`-logpersist -logd') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };