From 8ed750e9731e6e3a21785e91e9b1cf7390c16738 Mon Sep 17 00:00:00 2001
From: Mark Salyzyn <salyzyn@google.com>
Date: Tue, 12 Nov 2013 15:34:52 -0800
Subject: [PATCH] sepolicy: Add write_logd, read_logd & control_logd

- Add write_logd, read_logd and control_logd macros added along
  with contexts for user space logd.
- Specify above on domain wide, or service-by-service basis
- Add logd rules.
- deprecate access_logcat as unused.
- 'allow <domain> zygote:unix_dgram_socket write;' rule added to
  deal with fd inheritance. ToDo: investigate means to allow
  references to close, and reopen in context of application
  or call setsockcreatecon() to label them in child context.

Change-Id: I35dbb9d5122c5ed9b8c8f128abf24a871d6b26d8
---
 app.te           |  5 +++++
 debuggerd.te     |  3 +++
 domain.te        |  3 +++
 dumpstate.te     |  4 ++++
 file.te          |  4 ++++
 file_contexts    |  5 +++++
 logd.te          | 34 ++++++++++++++++++++++++++++++++++
 system_server.te |  4 ++++
 te_macros        | 41 ++++++++++++++++++++++++++++++++---------
 9 files changed, 94 insertions(+), 9 deletions(-)
 create mode 100644 logd.te

diff --git a/app.te b/app.te
index c4b33314a..a0672c78f 100644
--- a/app.te
+++ b/app.te
@@ -187,6 +187,11 @@ selinux_check_context(appdomain)
 # Validate that each process is running in the correct security context.
 allow appdomain domain:process getattr;
 
+# logd access
+read_logd(appdomain)
+# application inherit logd write socket (urge is to deprecate this long term)
+allow appdomain zygote:unix_dgram_socket write;
+
 ###
 ### Neverallow rules
 ###
diff --git a/debuggerd.te b/debuggerd.te
index 0443aef18..738dac2b5 100644
--- a/debuggerd.te
+++ b/debuggerd.te
@@ -23,3 +23,6 @@ allow debuggerd system_data_file:file open;
 
 # Connect to system_server via /data/system/ndebugsocket.
 unix_socket_connect(debuggerd, system_ndebug, system_server)
+
+# logd access
+read_logd(debuggerd)
diff --git a/domain.te b/domain.te
index 6f0ee1331..8c66e1bce 100644
--- a/domain.te
+++ b/domain.te
@@ -72,6 +72,9 @@ allow domain urandom_device:chr_file rw_file_perms;
 allow domain random_device:chr_file rw_file_perms;
 allow domain properties_device:file r_file_perms;
 
+# logd access
+write_logd(domain)
+
 # Filesystem accesses.
 allow domain fs_type:filesystem getattr;
 allow domain fs_type:dir getattr;
diff --git a/dumpstate.te b/dumpstate.te
index 597742281..8ecb6cc24 100644
--- a/dumpstate.te
+++ b/dumpstate.te
@@ -86,3 +86,7 @@ allow dumpstate dumpstate_tmpfs:file execute;
 allow dumpstate self:process execmem;
 # For art.
 allow dumpstate dalvikcache_data_file:file execute;
+
+# logd access
+read_logd(dumpstate)
+control_logd(dumpstate)
diff --git a/file.te b/file.te
index d6a4d5691..ef6c55c22 100644
--- a/file.te
+++ b/file.te
@@ -107,6 +107,10 @@ type gps_socket, file_type;
 type installd_socket, file_type;
 type keystore_socket, file_type;
 type lmkd_socket, file_type;
+type logd_debug, file_type;
+type logd_socket, file_type;
+type logdr_socket, file_type;
+type logdw_socket, file_type;
 type mdns_socket, file_type;
 type netd_socket, file_type;
 type property_socket, file_type;
diff --git a/file_contexts b/file_contexts
index f593f6db0..06b23a629 100644
--- a/file_contexts
+++ b/file_contexts
@@ -81,6 +81,10 @@
 /dev/socket/installd	u:object_r:installd_socket:s0
 /dev/socket/keystore	u:object_r:keystore_socket:s0
 /dev/socket/lmkd        u:object_r:lmkd_socket:s0
+/dev/logd_debug		u:object_r:logd_debug:s0
+/dev/socket/logd	u:object_r:logd_socket:s0
+/dev/socket/logdr	u:object_r:logdr_socket:s0
+/dev/socket/logdw	u:object_r:logdw_socket:s0
 /dev/socket/mdns	u:object_r:mdns_socket:s0
 /dev/socket/netd	u:object_r:netd_socket:s0
 /dev/socket/property_service	u:object_r:property_socket:s0
@@ -144,6 +148,7 @@
 /system/bin/clatd	u:object_r:clatd_exec:s0
 /system/bin/lmkd        u:object_r:lmkd_exec:s0
 /system/bin/inputflinger u:object_r:inputflinger_exec:s0
+/system/bin/logd        u:object_r:logd_exec:s0
 #############################
 # Vendor files
 #
diff --git a/logd.te b/logd.te
new file mode 100644
index 000000000..a1e3a53ec
--- /dev/null
+++ b/logd.te
@@ -0,0 +1,34 @@
+# android user-space log manager
+type logd, domain;
+type logd_exec, exec_type, file_type;
+
+init_daemon_domain(logd)
+allow logd self:unix_stream_socket *;
+
+allow logd self:capability { setuid setgid sys_nice };
+
+r_dir_file(logd, domain)
+
+userdebug_or_eng(`
+  # Debug output
+  type_transition logd device:file logd_debug;
+  allow logd device:dir rw_dir_perms;
+  allow logd logd_debug:file create_file_perms;
+')
+
+###
+### Neverallow rules
+###
+### logd should NEVER do any of this
+
+# Block device access.
+neverallow logd dev_type:blk_file { read write };
+
+# ptrace any other app
+neverallow logd domain:process ptrace;
+
+# Write to /system.
+neverallow logd system_file:dir_file_class_set write;
+
+# Write to files in /data/data or system files on /data
+neverallow logd { app_data_file system_data_file }:dir_file_class_set write;
diff --git a/system_server.te b/system_server.te
index 19719124f..ef040d5d5 100644
--- a/system_server.te
+++ b/system_server.te
@@ -245,3 +245,7 @@ selinux_manage_policy(system_server)
 # See discussion of Unlabeled files in domain.te for more information.
 # This rule is for dalvikcache mmap/mprotect PROT_EXEC.
 allow system_server unlabeled:file execute;
+
+# logd access, system_server inherit logd write socket
+# (urge is to deprecate this long term)
+allow system_server zygote:unix_dgram_socket write;
diff --git a/te_macros b/te_macros
index 03c78f31a..404222ad7 100644
--- a/te_macros
+++ b/te_macros
@@ -273,15 +273,6 @@ allow $1 security_file:lnk_file { create rename unlink };
 allow $1 security_prop:property_service set;
 ')
 
-#####################################
-# access_logcat(domain)
-# Ability to read from logcat logs
-# and execute the logcat command
-define(`access_logcat', `
-allow $1 log_device:chr_file read;
-allow $1 system_file:file x_file_perms;
-')
-
 #####################################
 # access_kmsg(domain)
 # Ability to read from kernel logs
@@ -338,3 +329,35 @@ define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target
 # has ceased.
 #
 define(`permissive_or_unconfined', ifelse(force_permissive_to_unconfined, `false', permissive $1;, unconfined_domain($1)))
+
+#####################################
+# write_logd(domain)
+# Ability to write to android log
+# daemon via sockets
+define(`write_logd', `
+userdebug_or_eng(`
+  # Debug output
+  type_transition $1 device:file logd_debug;
+  allow $1 device:dir rw_dir_perms;
+  allow $1 logd_debug:file create_file_perms;
+')
+unix_socket_send($1, logdw, logd)
+')
+
+#####################################
+# read_logd(domain)
+# Ability to read from android
+# log daemon via sockets
+define(`read_logd', `
+unix_socket_connect($1, logdr, logd)
+')
+
+#####################################
+# control_logd(domain)
+# Ability to control
+# android log daemon via sockets
+define(`control_logd', `
+# Group AID_LOG checked by filesystem & logd
+# to permit control commands
+unix_socket_connect($1, logd, logd)
+')
-- 
GitLab