SELinux policy for users of libcutils klog_write.
klog_write/init create /dev/__kmsg__ backed by a kernel character device, keep the file descriptor, and then immediately unlink the file. Change-Id: I729d224347a003eaca29299d216a53c99cc3197c
This commit is contained in:
parent
5d54d483a0
commit
77ec892be6
@ -49,6 +49,7 @@ type uhid_device, dev_type;
|
||||
type tun_device, dev_type, mlstrustedobject;
|
||||
type usbaccessory_device, dev_type;
|
||||
type usb_device, dev_type;
|
||||
type klog_device, dev_type;
|
||||
type properties_device, dev_type;
|
||||
|
||||
# All devices have a uart for the hci
|
||||
|
@ -114,6 +114,7 @@
|
||||
/dev/watchdog u:object_r:watchdog_device:s0
|
||||
/dev/xt_qtaguid u:object_r:qtaguid_device:s0
|
||||
/dev/zero u:object_r:zero_device:s0
|
||||
/dev/__kmsg__ u:object_r:klog_device:s0
|
||||
/dev/__properties__ u:object_r:properties_device:s0
|
||||
#############################
|
||||
# System files
|
||||
|
11
te_macros
11
te_macros
@ -284,3 +284,14 @@ allow $1 system_file:file x_file_perms;
|
||||
define(`access_kmsg', `
|
||||
allow $1 kernel:system syslog_read;
|
||||
')
|
||||
|
||||
#####################################
|
||||
# write_klog(domain)
|
||||
# Ability to write to kernel log via
|
||||
# klog_write()
|
||||
# See system/core/libcutil/klog.c
|
||||
define(`write_klog', `
|
||||
type_transition $1 device:chr_file klog_device "__kmsg__";
|
||||
allow $1 klog_device:chr_file { create open write unlink };
|
||||
allow $1 device:dir { add_name remove_name };
|
||||
')
|
||||
|
@ -2,6 +2,7 @@
|
||||
# it lives in the rootfs and has no unique file type.
|
||||
type ueventd, domain;
|
||||
tmpfs_domain(ueventd)
|
||||
write_klog(ueventd)
|
||||
security_access_policy(ueventd)
|
||||
allow ueventd rootfs:file entrypoint;
|
||||
allow ueventd init:process sigchld;
|
||||
|
Loading…
Reference in New Issue
Block a user