1typeattribute logd coredomain;
2
3init_daemon_domain(logd)
4
5# logd is not allowed to write anywhere other than /data/misc/logd, and then
6# only on userdebug or eng builds
7neverallow logd {
8  file_type
9  -runtime_event_log_tags_file
10  userdebug_or_eng(`-coredump_file -misc_logd_file')
11  with_native_coverage(`-method_trace_data_file')
12}:file { create write append };
13
14# protect the event-log-tags file
15neverallow {
16  domain
17  -appdomain # covered below
18  -bootstat
19  -dumpstate
20  -init
21  -logd
22  userdebug_or_eng(`-logpersist')
23  -servicemanager
24  -system_server
25  -surfaceflinger
26  -zygote
27} runtime_event_log_tags_file:file no_rw_file_perms;
28
29neverallow {
30  appdomain
31  -bluetooth
32  -platform_app
33  -priv_app
34  -radio
35  -shell
36  userdebug_or_eng(`-su')
37  -system_app
38} runtime_event_log_tags_file:file no_rw_file_perms;
39