From 483fd267359a457ca4ac4c4a2cbce38af6c15981 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 21 Sep 2015 16:22:21 -0700
Subject: [PATCH] Enforce no persistent logging on user builds

For userdebug and eng builds enforce that:

 - only logd and shell domains may access logd files

 - logd is only allowed to write to /data/misc/logd

Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a
---
 domain.te |  3 +++
 init.te   |  2 +-
 logd.te   | 11 +++++++++--
 shell.te  |  6 ++++--
 4 files changed, 17 insertions(+), 5 deletions(-)

diff --git a/domain.te b/domain.te
index bfbceabc6..e0fc81729 100644
--- a/domain.te
+++ b/domain.te
@@ -533,3 +533,6 @@ neverallow domain ~servicemanager:service_manager list;
 
 # only service_manager_types can be added to service_manager
 neverallow domain ~service_manager_type:service_manager { add find };
+
+# logpersist is only allowed on userdebug/eng builds
+neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file rw_file_perms;
diff --git a/init.te b/init.te
index 6b5709835..1f33a9781 100644
--- a/init.te
+++ b/init.te
@@ -98,7 +98,7 @@ allow init rootfs:file relabelfrom;
 allow init self:capability { chown fowner fsetid };
 allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
diff --git a/logd.te b/logd.te
index b0d978f3d..56d0d2a71 100644
--- a/logd.te
+++ b/logd.te
@@ -10,8 +10,11 @@ allow logd self:netlink_audit_socket { create_socket_perms nlmsg_write };
 allow logd kernel:system syslog_read;
 allow logd kmsg_device:chr_file w_file_perms;
 allow logd system_data_file:file r_file_perms;
-allow logd misc_logd_file:file create_file_perms;
-allow logd misc_logd_file:dir rw_dir_perms;
+# logpersist is only allowed on userdebug and eng builds
+userdebug_or_eng(`
+  allow logd misc_logd_file:file create_file_perms;
+  allow logd misc_logd_file:dir rw_dir_perms;
+')
 allow logd pstorefs:dir search;
 allow logd pstorefs:file r_file_perms;
 
@@ -42,3 +45,7 @@ neverallow logd system_file:dir_file_class_set write;
 
 # Write to files in /data/data or system files on /data
 neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
+
+# logd is not allowed to write anywhere other than /misc/data/logd, and then
+# only on userdebug or eng builds
+neverallow logd { file_type -logd_tmpfs userdebug_or_eng(` -misc_logd_file -coredump_file ') }:file write;
diff --git a/shell.te b/shell.te
index 84e180274..893403a3a 100644
--- a/shell.te
+++ b/shell.te
@@ -16,8 +16,10 @@ control_logd(shell)
 allow shell pstorefs:dir search;
 allow shell pstorefs:file r_file_perms;
 # logpersistd (nee logcatd) files
-allow shell misc_logd_file:dir r_dir_perms;
-allow shell misc_logd_file:file r_file_perms;
+userdebug_or_eng(`
+  allow shell misc_logd_file:dir r_dir_perms;
+  allow shell misc_logd_file:file r_file_perms;
+')
 
 # read files in /data/anr
 allow shell anr_data_file:dir r_dir_perms;
-- 
GitLab