From 84cfde229ce05f44944df1237c4e9465c04c67d3 Mon Sep 17 00:00:00 2001
From: mukesh agrawal <quiche@google.com>
Date: Fri, 15 Apr 2016 11:10:06 -0700
Subject: [PATCH] limit shell's access to log.* properties

Restrict the ability of the shell to set the log.*
properties. Namely: only allow the shell to set
such properities on eng and userdebug builds.

The shell (and other domains) can continue to
read log.* properties on all builds.

While there: harmonize permissions for log.* and
persist.log.tag. Doing so introduces two changes:
- log.* is now writable from from |system_app|. This
  mirrors the behavior of persist.log.tag, which is
  writable to support "Developer options" ->
  "Logger buffer sizes" -> "Off".
  (Since this option is visible on user builds, the
  permission is enabled for all builds.)
- persist.log.tag can now be set from |shell| on
  userdebug_or_eng().

BUG=28221972
TEST=manual (see below)

Testing details
- user build (log.tag)
  $ adb shell setprop log.tag.foo V
  $ adb shell getprop log.tag
  <blank line>
  $ adb bugreport | grep log.tag.foo
  [  146.525836] init: avc:  denied  { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0
  [  146.525878] init: sys_prop: permission denied uid:2000  name:log.tag.foo
- userdebug build (log.tag)
  $ adb shell getprop log.tag.foo
  <blank line>
  $ adb shell setprop log.tag.foo V
  $ adb shell getprop log.tag.foo
  V
- user build (persist.log.tag)
  $ adb shell getprop | grep log.tag
  <no match>
  - Developer options -> Logger buffer sizes -> Off
  $ adb shell getprop | grep log.tag
  [persist.log.tag]: [Settings]
  [persist.log.tag.snet_event_log]: [I]

Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75
---
 attributes        | 3 +++
 domain.te         | 3 +++
 property.te       | 1 +
 property_contexts | 4 ++--
 shell.te          | 1 +
 system_app.te     | 1 +
 6 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/attributes b/attributes
index 485b3e9a9..30220297a 100644
--- a/attributes
+++ b/attributes
@@ -67,6 +67,9 @@ attribute property_type;
 # used by device specific properties
 attribute core_property_type;
 
+# All properties used to configure log filtering.
+attribute log_property_type;
+
 # All service_manager types created by system_server
 attribute system_server_service;
 
diff --git a/domain.te b/domain.te
index 9001773b5..294f26e1d 100644
--- a/domain.te
+++ b/domain.te
@@ -83,6 +83,9 @@ allow domain properties_serial:file r_file_perms;
 # For now, everyone can access core property files
 # Device specific properties are not granted by default
 get_prop(domain, core_property_type)
+# Let everyone read log properties, so that liblog can avoid sending unloggable
+# messages to logd.
+get_prop(domain, log_property_type)
 dontaudit domain property_type:file audit_access;
 allow domain property_contexts:file r_file_perms;
 
diff --git a/property.te b/property.te
index 168024570..a7370aec6 100644
--- a/property.te
+++ b/property.te
@@ -21,6 +21,7 @@ type ctl_rildaemon_prop, property_type;
 type ctl_bugreport_prop, property_type;
 type ctl_console_prop, property_type;
 type audio_prop, property_type, core_property_type;
+type log_prop, property_type, log_property_type;
 type logd_prop, property_type, core_property_type;
 type mmc_prop, property_type;
 type restorecon_prop, property_type, core_property_type;
diff --git a/property_contexts b/property_contexts
index 1329854b4..e63416554 100644
--- a/property_contexts
+++ b/property_contexts
@@ -32,7 +32,7 @@ bluetooth.              u:object_r:bluetooth_prop:s0
 debug.                  u:object_r:debug_prop:s0
 debug.db.               u:object_r:debuggerd_prop:s0
 dumpstate.              u:object_r:dumpstate_prop:s0
-log.                    u:object_r:shell_prop:s0
+log.                    u:object_r:log_prop:s0
 service.adb.root        u:object_r:shell_prop:s0
 service.adb.tcp.port    u:object_r:shell_prop:s0
 
@@ -40,7 +40,7 @@ persist.audio.          u:object_r:audio_prop:s0
 persist.debug.          u:object_r:persist_debug_prop:s0
 persist.logd.           u:object_r:logd_prop:s0
 persist.logd.security   u:object_r:device_logging_prop:s0
-persist.log.tag         u:object_r:logd_prop:s0
+persist.log.tag         u:object_r:log_prop:s0
 persist.mmc.            u:object_r:mmc_prop:s0
 persist.sys.            u:object_r:system_prop:s0
 persist.sys.safemode    u:object_r:safemode_prop:s0
diff --git a/shell.te b/shell.te
index a314c6126..ad610b42c 100644
--- a/shell.te
+++ b/shell.te
@@ -63,6 +63,7 @@ set_prop(shell, ctl_dumpstate_prop)
 set_prop(shell, dumpstate_prop)
 set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)
+userdebug_or_eng(`set_prop(shell, log_prop)')
 
 # systrace support - allow atrace to run
 allow shell debugfs_tracing:dir r_dir_perms;
diff --git a/system_app.te b/system_app.te
index afc2be5f5..b3f4b3019 100644
--- a/system_app.te
+++ b/system_app.te
@@ -31,6 +31,7 @@ set_prop(system_app, system_prop)
 set_prop(system_app, logd_prop)
 set_prop(system_app, net_radio_prop)
 set_prop(system_app, system_radio_prop)
+set_prop(system_app, log_prop)
 auditallow system_app net_radio_prop:property_service set;
 auditallow system_app system_radio_prop:property_service set;
 
-- 
GitLab