SELinux policy for users of libcutils klog_write.

klog_write/init create /dev/__kmsg__ backed by a kernel character
device, keep the file descriptor, and then immediately unlink the
file.

Change-Id: I729d224347a003eaca29299d216a53c99cc3197c

device.te

@@ -49,6 +49,7 @@ type uhid_device, dev_type;
 type tun_device, dev_type, mlstrustedobject;
 type usbaccessory_device, dev_type;
 type usb_device, dev_type;
+type klog_device, dev_type;
 type properties_device, dev_type;
 
 # All devices have a uart for the hci

file_contexts

@@ -114,6 +114,7 @@
 /dev/watchdog		u:object_r:watchdog_device:s0
 /dev/xt_qtaguid	u:object_r:qtaguid_device:s0
 /dev/zero		u:object_r:zero_device:s0
+/dev/__kmsg__		u:object_r:klog_device:s0
 /dev/__properties__ u:object_r:properties_device:s0
 #############################
 # System files

te_macros

@@ -284,3 +284,14 @@ allow $1 system_file:file x_file_perms;
 define(`access_kmsg', `
 allow $1 kernel:system syslog_read;
 ')
+
+#####################################
+# write_klog(domain)
+# Ability to write to kernel log via
+# klog_write()
+# See system/core/libcutil/klog.c
+define(`write_klog', `
+type_transition $1 device:chr_file klog_device "__kmsg__";
+allow $1 klog_device:chr_file { create open write unlink };
+allow $1 device:dir { add_name remove_name };
+')

ueventd.te

@@ -2,6 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type ueventd, domain;
 tmpfs_domain(ueventd)
+write_klog(ueventd)
 security_access_policy(ueventd)
 allow ueventd rootfs:file entrypoint;
 allow ueventd init:process sigchld;

vold.te

@@ -32,6 +32,8 @@ allow vold self:capability { sys_boot };
 # XXX Label sysfs files with a specific type?
 allow vold sysfs:file rw_file_perms;
 
+write_klog(vold)
+
 #
 # Rules to support encrypted fs support.
 #