1typeattribute logd coredomain; 2 3init_daemon_domain(logd) 4 5# Access device logging gating property 6get_prop(logd, device_logging_prop) 7 8# logd is not allowed to write anywhere other than /data/misc/logd, and then 9# only on userdebug or eng builds 10neverallow logd { 11 file_type 12 -runtime_event_log_tags_file 13 # shell_data_file access is needed to dump bugreports 14 -shell_data_file 15 userdebug_or_eng(`-coredump_file -misc_logd_file') 16 with_native_coverage(`-method_trace_data_file') 17}:file { create write append }; 18 19# protect the event-log-tags file 20neverallow { 21 domain 22 -appdomain # covered below 23 -bootstat 24 -dumpstate 25 -init 26 -logd 27 userdebug_or_eng(`-logpersist') 28 -servicemanager 29 -system_server 30 -surfaceflinger 31 -zygote 32} runtime_event_log_tags_file:file no_rw_file_perms; 33 34neverallow { 35 appdomain 36 -bluetooth 37 -platform_app 38 -priv_app 39 -radio 40 -shell 41 userdebug_or_eng(`-su') 42 -system_app 43} runtime_event_log_tags_file:file no_rw_file_perms; 44 45# Only binder communication between logd and system_server is allowed 46binder_use(logd) 47binder_service(logd) 48binder_call(logd, system_server) 49 50add_service(logd, logd_service) 51allow logd logcat_service:service_manager find; 52 53# Read access to pseudo filesystems. 54r_dir_file(logd, cgroup) 55r_dir_file(logd, cgroup_v2) 56r_dir_file(logd, proc_kmsg) 57r_dir_file(logd, proc_meminfo) 58 59allow logd self:global_capability_class_set { setuid setgid setpcap sys_nice audit_control }; 60allow logd self:global_capability2_class_set syslog; 61allow logd self:netlink_audit_socket { create_socket_perms_no_ioctl nlmsg_write }; 62allow logd kernel:system syslog_read; 63allow logd kmsg_device:chr_file { getattr w_file_perms }; 64allow logd system_data_file:{ file lnk_file } r_file_perms; 65allow logd packages_list_file:file r_file_perms; 66allow logd pstorefs:dir search; 67allow logd pstorefs:file r_file_perms; 68userdebug_or_eng(` 69 # Access to /data/misc/logd/event-log-tags 70 allow logd misc_logd_file:dir r_dir_perms; 71 allow logd misc_logd_file:file rw_file_perms; 72') 73allow logd runtime_event_log_tags_file:file rw_file_perms; 74 75r_dir_file(logd, domain) 76 77allow logd kernel:system syslog_mod; 78 79control_logd(logd) 80read_runtime_log_tags(logd) 81 82allow runtime_event_log_tags_file tmpfs:filesystem associate; 83# Typically harmlessly blindly trying to access via liblog 84# event tag mapping while in the untrusted_app domain. 85# Access for that domain is controlled and gated via the 86# event log tag service (albeit at a performance penalty, 87# expected to be locally cached). 88dontaudit domain runtime_event_log_tags_file:file { map open read }; 89 90# Logd sets defaults if certain properties are empty. 91set_prop(logd, logd_prop) 92 93### 94### Neverallow rules 95### 96### logd should NEVER do any of this 97 98# Block device access. 99neverallow logd dev_type:blk_file { read write }; 100 101# ptrace any other app 102neverallow logd domain:process ptrace; 103 104# ... and nobody may ptrace me (except on userdebug or eng builds) 105neverallow { domain userdebug_or_eng(`-crash_dump -llkd') } logd:process ptrace; 106 107# Write to /system. 108neverallow logd system_file_type:dir_file_class_set write; 109 110# Write to files in /data/data or system files on /data 111neverallow logd { 112 app_data_file_type 113 system_data_file 114 packages_list_file 115 -shell_data_file # for bugreports 116}:dir_file_class_set write; 117 118# Only init is allowed to enter the logd domain via exec() 119neverallow { domain -init } logd:process transition; 120neverallow * logd:process dyntransition; 121 122# protect the event-log-tags file 123neverallow { 124 domain 125 -init 126 -logd 127} runtime_event_log_tags_file:file no_w_file_perms; 128