1typeattribute logd coredomain; 2 3init_daemon_domain(logd) 4 5# logd is not allowed to write anywhere other than /data/misc/logd, and then 6# only on userdebug or eng builds 7# TODO: deal with tmpfs_domain pub/priv split properly 8neverallow logd { 9 file_type 10 -logd_tmpfs 11 -runtime_event_log_tags_file 12 userdebug_or_eng(`-coredump_file -misc_logd_file') 13}:file { create write append }; 14 15# protect the event-log-tags file 16neverallow { 17 domain 18 -appdomain # covered below 19 -bootstat 20 -dumpstate 21 -init 22 -logd 23 userdebug_or_eng(`-logpersist') 24 -servicemanager 25 -system_server 26 -surfaceflinger 27 -zygote 28} runtime_event_log_tags_file:file no_rw_file_perms; 29 30neverallow { 31 appdomain 32 -bluetooth 33 -platform_app 34 -priv_app 35 -radio 36 -shell 37 userdebug_or_eng(`-su') 38 -system_app 39} runtime_event_log_tags_file:file no_rw_file_perms; 40