logpersist.te revision df125b90b456748f834df06e69d9e8aa05054c69
1da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn# android debug logging, logpersist domains 2da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyntype logpersist, domain; 3da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn 4da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn### 5da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn### Neverallow rules 6da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn### 7da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn### logpersist should NEVER do any of this 8da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn 9da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn# Block device access. 10da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzynneverallow logpersist dev_type:blk_file { read write }; 11da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn 12da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn# ptrace any other app 13da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzynneverallow logpersist domain:process ptrace; 14da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn 15da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzyn# Write to files in /data/data or system files on /data except misc_logd_file 16da62cb4dda9c7e77dc67ced441d7ffe6fd3f2f2aMark Salyzynneverallow logpersist { app_data_file system_data_file }:dir_file_class_set write; 17df125b90b456748f834df06e69d9e8aa05054c69Mark Salyzyn 18df125b90b456748f834df06e69d9e8aa05054c69Mark Salyzyn# Only init is allowed to enter the logpersist domain via exec() 19df125b90b456748f834df06e69d9e8aa05054c69Mark Salyzynneverallow { domain -init } logpersist:process transition; 20df125b90b456748f834df06e69d9e8aa05054c69Mark Salyzynneverallow * logpersist:process dyntransition; 21