1 # Domain for shell processes spawned by ADB or console service. 2 type shell, domain, mlstrustedsubject; 3 type shell_exec, exec_type, file_type; 4 5 # Create and use network sockets. 6 net_domain(shell) 7 8 # Run app_process. 9 # XXX Transition into its own domain? 10 app_domain(shell) 11 12 # logcat 13 read_logd(shell) 14 control_logd(shell) 15 # logcat -L (directly, or via dumpstate) 16 allow shell pstorefs:dir search; 17 allow shell pstorefs:file r_file_perms; 18 # logpersistd (nee logcatd) files 19 userdebug_or_eng(` 20 allow shell misc_logd_file:dir r_dir_perms; 21 allow shell misc_logd_file:file r_file_perms; 22 ') 23 24 # Root fs. 25 allow shell rootfs:dir r_dir_perms; 26 27 # read files in /data/anr 28 allow shell anr_data_file:dir r_dir_perms; 29 allow shell anr_data_file:file r_file_perms; 30 31 # Access /data/local/tmp. 32 allow shell shell_data_file:dir create_dir_perms; 33 allow shell shell_data_file:file create_file_perms; 34 allow shell shell_data_file:file rx_file_perms; 35 allow shell shell_data_file:lnk_file create_file_perms; 36 37 # Access /data/misc/profman. 38 allow shell profman_dump_data_file:dir { search getattr write remove_name }; 39 allow shell profman_dump_data_file:file { getattr unlink }; 40 41 # Read/execute files in /data/nativetest 42 userdebug_or_eng(` 43 allow shell nativetest_data_file:dir r_dir_perms; 44 allow shell nativetest_data_file:file rx_file_perms; 45 ') 46 47 # adb bugreport 48 unix_socket_connect(shell, dumpstate, dumpstate) 49 50 allow shell devpts:chr_file rw_file_perms; 51 allow shell tty_device:chr_file rw_file_perms; 52 allow shell console_device:chr_file rw_file_perms; 53 allow shell input_device:dir r_dir_perms; 54 allow shell input_device:chr_file rw_file_perms; 55 r_dir_file(shell, system_file) 56 allow shell system_file:file x_file_perms; 57 allow shell toolbox_exec:file rx_file_perms; 58 allow shell shell_exec:file rx_file_perms; 59 allow shell zygote_exec:file rx_file_perms; 60 61 r_dir_file(shell, apk_data_file) 62 63 # Set properties. 64 set_prop(shell, shell_prop) 65 set_prop(shell, ctl_bugreport_prop) 66 set_prop(shell, ctl_dumpstate_prop) 67 set_prop(shell, dumpstate_prop) 68 set_prop(shell, debug_prop) 69 set_prop(shell, powerctl_prop) 70 set_prop(shell, log_tag_prop) 71 set_prop(shell, wifi_log_prop) 72 userdebug_or_eng(`set_prop(shell, log_prop)') 73 userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') 74 75 # systrace support - allow atrace to run 76 allow shell debugfs_tracing:dir r_dir_perms; 77 allow shell debugfs_tracing:file rw_file_perms; 78 allow shell debugfs_trace_marker:file getattr; 79 allow shell atrace_exec:file rx_file_perms; 80 81 userdebug_or_eng(` 82 # "systrace --boot" support - allow boottrace service to run 83 allow shell boottrace_data_file:dir rw_dir_perms; 84 allow shell boottrace_data_file:file create_file_perms; 85 set_prop(shell, persist_debug_prop) 86 ') 87 88 # allow shell to run dmesg 89 allow shell kernel:system syslog_read; 90 91 # allow shell access to services 92 allow shell servicemanager:service_manager list; 93 # don't allow shell to access GateKeeper service 94 allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find; 95 96 # allow shell to look through /proc/ for ps, top, netstat 97 r_dir_file(shell, proc) 98 r_dir_file(shell, proc_net) 99 allow shell proc_meminfo:file r_file_perms; 100 r_dir_file(shell, cgroup) 101 allow shell domain:dir { search open read getattr }; 102 allow shell domain:{ file lnk_file } { open read getattr }; 103 104 # statvfs() of /proc and other labeled filesystems 105 # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs) 106 allow shell { proc labeledfs }:filesystem getattr; 107 108 # stat() of /dev 109 allow shell device:dir getattr; 110 111 # allow shell to read /proc/pid/attr/current for ps -Z 112 allow shell domain:process getattr; 113 114 # Allow pulling the SELinux policy for CTS purposes 115 allow shell selinuxfs:dir r_dir_perms; 116 allow shell selinuxfs:file r_file_perms; 117 118 # enable shell domain to read/write files/dirs for bootchart data 119 # User will creates the start and stop file via adb shell 120 # and read other files created by init process under /data/bootchart 121 allow shell bootchart_data_file:dir rw_dir_perms; 122 allow shell bootchart_data_file:file create_file_perms; 123 124 # Make sure strace works for the non-privileged shell user 125 allow shell self:process ptrace; 126 127 # allow shell to get battery info 128 allow shell sysfs_batteryinfo:file r_file_perms; 129 allow shell sysfs:dir r_dir_perms; 130 131 # Allow access to ion memory allocation device. 132 allow shell ion_device:chr_file rw_file_perms; 133 134 # Access to /data/media. 135 # This should be removed if sdcardfs is modified to alter the secontext for its 136 # accesses to the underlying FS. 137 allow shell media_rw_data_file:dir create_dir_perms; 138 allow shell media_rw_data_file:file create_file_perms; 139 140 ### 141 ### Neverallow rules 142 ### 143 144 # Do not allow shell to hard link to any files. 145 # In particular, if shell hard links to app data 146 # files, installd will not be able to guarantee the deletion 147 # of the linked to file. Hard links also contribute to security 148 # bugs, so we want to ensure the shell user never has this 149 # capability. 150 neverallow shell file_type:file link; 151 152 # Do not allow privileged socket ioctl commands 153 neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 154
