# android debug logging, logpersist domains type logpersist, domain; # logcatd is a shell script that execs logcat with various parameters. allow logpersist shell_exec:file rx_file_perms; allow logpersist logcat_exec:file rx_file_perms; ### ### Neverallow rules ### ### logpersist should NEVER do any of this # Block device access. neverallow logpersist dev_type:blk_file { read write }; # ptrace any other app neverallow logpersist domain:process ptrace; # Write to files in /data/data or system files on /data except misc_logd_file neverallow logpersist { privapp_data_file app_data_file system_data_file }:dir_file_class_set write; # Only init should be allowed to enter the logpersist domain via exec() # Following is a list of debug domains we know that transition to logpersist # neverallow_with_undefined_domains { # domain # -init # goldfish, logcatd, raft # -mmi # bat, mtp8996, msmcobalt # -system_app # Smith.apk # } logpersist:process transition; neverallow * logpersist:process dyntransition;