| typeattribute logd coredomain; |
| |
| init_daemon_domain(logd) |
| |
| # logd is not allowed to write anywhere other than /data/misc/logd, and then |
| # only on userdebug or eng builds |
| neverallow logd { |
| file_type |
| -runtime_event_log_tags_file |
| userdebug_or_eng(`-coredump_file -misc_logd_file') |
| }:file { create write append }; |
| |
| # protect the event-log-tags file |
| neverallow { |
| domain |
| -appdomain # covered below |
| -bootstat |
| -dumpstate |
| -init |
| -logd |
| userdebug_or_eng(`-logpersist') |
| -servicemanager |
| -system_server |
| -surfaceflinger |
| -zygote |
| } runtime_event_log_tags_file:file no_rw_file_perms; |
| |
| neverallow { |
| appdomain |
| -bluetooth |
| -platform_app |
| -priv_app |
| -radio |
| -shell |
| userdebug_or_eng(`-su') |
| -system_app |
| } runtime_event_log_tags_file:file no_rw_file_perms; |