diff options
author | Mark Salyzyn <salyzyn@google.com> | 2016-03-25 20:57:20 +0000 |
---|---|---|
committer | Gerrit Code Review <noreply-gerritcodereview@google.com> | 2016-03-25 20:57:20 +0000 |
commit | 0144eedba57cc078112f95ca66d827f98ecf4a5b (patch) | |
tree | d9035707f33cbf09d42e31ceeab0fbef38d49727 | |
parent | 8ae52a05ba30a4f7709d8bce381bfb3662e8cfea (diff) | |
parent | 121f5bfd80298266d293fa5c0a30fed66f4facfa (diff) | |
download | sepolicy-0144eedba57cc078112f95ca66d827f98ecf4a5b.tar.gz |
Merge "init: logpersist access on debug"
-rw-r--r-- | domain.te | 2 | ||||
-rw-r--r-- | init.te | 2 | ||||
-rw-r--r-- | te_macros | 1 |
3 files changed, 3 insertions, 2 deletions
@@ -491,7 +491,7 @@ neverallow * ~servicemanager:service_manager list; neverallow * ~service_manager_type:service_manager { add find }; # logpersist is only allowed on userdebug/eng builds -neverallow { domain userdebug_or_eng(`-logd -shell') } misc_logd_file:file rw_file_perms; +neverallow { domain userdebug_or_eng(`-logd -shell -init') } misc_logd_file:file rw_file_perms; # Prevent assigning non property types to properties neverallow * ~property_type:property_service set; @@ -100,7 +100,7 @@ allow init rootfs:{ dir file } relabelfrom; allow init self:capability { chown fowner fsetid }; allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr ioctl }; allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom }; -allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file -misc_logd_file }:file { create getattr open read write setattr relabelfrom unlink }; +allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file not_userdebug_nor_eng(`-misc_logd_file') }:file { create getattr open read write setattr relabelfrom unlink }; allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink }; allow init {file_type -system_file -exec_type -keystore_data_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink }; allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto; @@ -278,6 +278,7 @@ define(`recovery_only', ifelse(target_recovery, `true', $1, )) # SELinux rules which apply only to userdebug or eng builds # define(`userdebug_or_eng', ifelse(target_build_variant, `eng', $1, ifelse(target_build_variant, `userdebug', $1))) +define(`not_userdebug_nor_eng', ifelse(target_build_variant, `eng', , ifelse(target_build_variant, `userdebug', , $1))) define(`eng', ifelse(target_build_variant, `eng', $1)) ##################################### |