1typeattribute logd coredomain; 2 3init_daemon_domain(logd) 4 5# Access device logging gating property 6get_prop(logd, device_logging_prop) 7 8# logd is not allowed to write anywhere other than /data/misc/logd, and then 9# only on userdebug or eng builds 10neverallow logd { 11 file_type 12 -runtime_event_log_tags_file 13 # shell_data_file access is needed to dump bugreports 14 -shell_data_file 15 userdebug_or_eng(`-coredump_file -misc_logd_file') 16 with_native_coverage(`-method_trace_data_file') 17}:file { create write append }; 18 19# protect the event-log-tags file 20neverallow { 21 domain 22 -appdomain # covered below 23 -bootstat 24 -dumpstate 25 -init 26 -logd 27 userdebug_or_eng(`-logpersist') 28 -servicemanager 29 -system_server 30 -surfaceflinger 31 -zygote 32} runtime_event_log_tags_file:file no_rw_file_perms; 33 34neverallow { 35 appdomain 36 -bluetooth 37 -platform_app 38 -priv_app 39 -radio 40 -shell 41 userdebug_or_eng(`-su') 42 -system_app 43} runtime_event_log_tags_file:file no_rw_file_perms; 44 45# Only binder communication between logd and system_server is allowed 46binder_use(logd) 47binder_service(logd) 48binder_call(logd, system_server) 49 50add_service(logd, logd_service) 51allow logd logcat_service:service_manager find; 52