d33a9a194b
Create an event_log_tags_file label and use it for /dev/event-log-tags. Only trusted system log readers are allowed direct read access to this file, no write access. Untrusted domain requests lack direct access, and are thus checked for credentials via the "plan b" long path socket to the event log tag service. Test: gTest logd-unit-tests, liblog-unit-tests and logcat-unit-tests Bug: 31456426 Bug: 30566487 Change-Id: Ib9b71ca225d4436d764c9bc340ff7b1c9c252a9e
23 lines
932 B
Plaintext
23 lines
932 B
Plaintext
# android debug log storage in logpersist domains (eng and userdebug only)
|
|
userdebug_or_eng(`
|
|
|
|
r_dir_file(logpersist, cgroup)
|
|
|
|
allow logpersist misc_logd_file:file create_file_perms;
|
|
allow logpersist misc_logd_file:dir rw_dir_perms;
|
|
|
|
allow logpersist self:capability sys_nice;
|
|
allow logpersist pstorefs:dir search;
|
|
allow logpersist pstorefs:file r_file_perms;
|
|
|
|
control_logd(logpersist)
|
|
unix_socket_connect(logpersist, logdr, logd)
|
|
read_runtime_log_tags(logpersist)
|
|
|
|
')
|
|
|
|
# logpersist is allowed to write to /data/misc/log for userdebug and eng builds
|
|
neverallow logpersist { file_type userdebug_or_eng(`-misc_logd_file -coredump_file') }:file { create write append };
|
|
neverallow { domain userdebug_or_eng(`-logpersist -dumpstate') } misc_logd_file:file no_rw_file_perms;
|
|
neverallow { domain userdebug_or_eng(`-logpersist') } misc_logd_file:dir { add_name link relabelfrom remove_name rename reparent rmdir write };
|