| # android debug logging, logpersist domains |
| type logpersist, domain; |
| |
| # logcatd is a shell script that execs logcat with various parameters. |
| allow logpersist shell_exec:file rx_file_perms; |
| allow logpersist logcat_exec:file rx_file_perms; |
| |
| ### |
| ### Neverallow rules |
| ### |
| ### logpersist should NEVER do any of this |
| |
| # Block device access. |
| neverallow logpersist dev_type:blk_file { read write }; |
| |
| # ptrace any other app |
| neverallow logpersist domain:process ptrace; |
| |
| # Write to files in /data/data or system files on /data except misc_logd_file |
| neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write; |
| |
| # Only init should be allowed to enter the logpersist domain via exec() |
| # Following is a list of debug domains we know that transition to logpersist |
| # neverallow_with_undefined_domains { |
| # domain |
| # -init # goldfish, logcatd, raft |
| # -mmi # bat, mtp8996, msmcobalt |
| # -system_app # Smith.apk |
| # } logpersist:process transition; |
| neverallow * logpersist:process dyntransition; |