1 typeattribute logd coredomain; 2 3 init_daemon_domain(logd) 4 5 # logd is not allowed to write anywhere other than /data/misc/logd, and then 6 # only on userdebug or eng builds 7 # TODO: deal with tmpfs_domain pub/priv split properly 8 neverallow logd { 9 file_type 10 -logd_tmpfs 11 -runtime_event_log_tags_file 12 userdebug_or_eng(`-coredump_file -misc_logd_file') 13 }:file { create write append }; 14 15 # protect the event-log-tags file 16 neverallow { 17 domain 18 -appdomain # covered below 19 -bootstat 20 -dumpstate 21 -init 22 -logd 23 userdebug_or_eng(`-logpersist') 24 -servicemanager 25 -system_server 26 -surfaceflinger 27 -zygote 28 } runtime_event_log_tags_file:file no_rw_file_perms; 29 30 neverallow { 31 appdomain 32 -bluetooth 33 -platform_app 34 -priv_app 35 -radio 36 -shell 37 userdebug_or_eng(`-su') 38 -system_app 39 } runtime_event_log_tags_file:file no_rw_file_perms; 40
