1 # Domain for shell processes spawned by ADB or console service. 2 type shell, domain, mlstrustedsubject; 3 type shell_exec, exec_type, file_type; 4 5 # Create and use network sockets. 6 net_domain(shell) 7 8 # logcat 9 read_logd(shell) 10 control_logd(shell) 11 # logcat -L (directly, or via dumpstate) 12 allow shell pstorefs:dir search; 13 allow shell pstorefs:file r_file_perms; 14 15 # Root fs. 16 allow shell rootfs:dir r_dir_perms; 17 18 # read files in /data/anr 19 allow shell anr_data_file:dir r_dir_perms; 20 allow shell anr_data_file:file r_file_perms; 21 22 # Access /data/local/tmp. 23 allow shell shell_data_file:dir create_dir_perms; 24 allow shell shell_data_file:file create_file_perms; 25 allow shell shell_data_file:file rx_file_perms; 26 allow shell shell_data_file:lnk_file create_file_perms; 27 28 # Read and delete from /data/local/traces. 29 allow shell trace_data_file:file { r_file_perms unlink }; 30 allow shell trace_data_file:dir { r_dir_perms remove_name write }; 31 32 # Access /data/misc/profman. 33 allow shell profman_dump_data_file:dir { write remove_name r_dir_perms }; 34 allow shell profman_dump_data_file:file { unlink r_file_perms }; 35 36 # Read/execute files in /data/nativetest 37 userdebug_or_eng(` 38 allow shell nativetest_data_file:dir r_dir_perms; 39 allow shell nativetest_data_file:file rx_file_perms; 40 ') 41 42 # adb bugreport 43 unix_socket_connect(shell, dumpstate, dumpstate) 44 45 allow shell devpts:chr_file rw_file_perms; 46 allow shell tty_device:chr_file rw_file_perms; 47 allow shell console_device:chr_file rw_file_perms; 48 allow shell input_device:dir r_dir_perms; 49 allow shell input_device:chr_file rw_file_perms; 50 r_dir_file(shell, system_file) 51 allow shell system_file:file x_file_perms; 52 allow shell toolbox_exec:file rx_file_perms; 53 allow shell tzdatacheck_exec:file rx_file_perms; 54 allow shell shell_exec:file rx_file_perms; 55 allow shell zygote_exec:file rx_file_perms; 56 57 r_dir_file(shell, apk_data_file) 58 59 # Set properties. 60 set_prop(shell, shell_prop) 61 set_prop(shell, ctl_bugreport_prop) 62 set_prop(shell, ctl_dumpstate_prop) 63 set_prop(shell, dumpstate_prop) 64 set_prop(shell, exported_dumpstate_prop) 65 set_prop(shell, debug_prop) 66 set_prop(shell, powerctl_prop) 67 set_prop(shell, log_tag_prop) 68 set_prop(shell, wifi_log_prop) 69 # Allow shell to start/stop traced via the persist.traced.enable 70 # property (which also takes care of /data/misc initialization). 71 set_prop(shell, traced_enabled_prop) 72 # adjust is_loggable properties 73 userdebug_or_eng(`set_prop(shell, log_prop)') 74 # logpersist script 75 userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') 76 77 userdebug_or_eng(` 78 # "systrace --boot" support - allow boottrace service to run 79 allow shell boottrace_data_file:dir rw_dir_perms; 80 allow shell boottrace_data_file:file create_file_perms; 81 set_prop(shell, persist_debug_prop) 82 ') 83 84 # Read device's serial number from system properties 85 get_prop(shell, serialno_prop) 86 87 # Allow shell to read the vendor security patch level for CTS 88 get_prop(shell, vendor_security_patch_level_prop) 89 90 # Read state of logging-related properties 91 get_prop(shell, device_logging_prop) 92 93 # Read state of boot reason properties 94 get_prop(shell, bootloader_boot_reason_prop) 95 get_prop(shell, last_boot_reason_prop) 96 get_prop(shell, system_boot_reason_prop) 97 98 # allow shell access to services 99 allow shell servicemanager:service_manager list; 100 # don't allow shell to access GateKeeper service 101 # TODO: why is this so broad? Tightening candidate? It needs at list: 102 # - dumpstate_service (so it can receive dumpstate progress updates) 103 allow shell { 104 service_manager_type 105 -gatekeeper_service 106 -incident_service 107 -installd_service 108 -netd_service 109 -virtual_touchpad_service 110 -vold_service 111 -vr_hwc_service 112 }:service_manager find; 113 allow shell dumpstate:binder call; 114 115 # allow shell to get information from hwservicemanager 116 # for instance, listing hardware services with lshal 117 hwbinder_use(shell) 118 allow shell hwservicemanager:hwservice_manager list; 119 120 # allow shell to look through /proc/ for lsmod, ps, top, netstat. 121 r_dir_file(shell, proc_net) 122 123 allow shell { 124 proc_asound 125 proc_filesystems 126 proc_interrupts 127 proc_meminfo 128 proc_modules 129 proc_pid_max 130 proc_stat 131 proc_timer 132 proc_uptime 133 proc_version 134 proc_zoneinfo 135 }:file r_file_perms; 136 137 # allow listing network interfaces under /sys/class/net. 138 allow shell sysfs_net:dir r_dir_perms; 139 140 r_dir_file(shell, cgroup) 141 allow shell domain:dir { search open read getattr }; 142 allow shell domain:{ file lnk_file } { open read getattr }; 143 144 # statvfs() of /proc and other labeled filesystems 145 # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs) 146 allow shell { proc labeledfs }:filesystem getattr; 147 148 # stat() of /dev 149 allow shell device:dir getattr; 150 151 # allow shell to read /proc/pid/attr/current for ps -Z 152 allow shell domain:process getattr; 153 154 # Allow pulling the SELinux policy for CTS purposes 155 allow shell selinuxfs:dir r_dir_perms; 156 allow shell selinuxfs:file r_file_perms; 157 158 # enable shell domain to read/write files/dirs for bootchart data 159 # User will creates the start and stop file via adb shell 160 # and read other files created by init process under /data/bootchart 161 allow shell bootchart_data_file:dir rw_dir_perms; 162 allow shell bootchart_data_file:file create_file_perms; 163 164 # Make sure strace works for the non-privileged shell user 165 allow shell self:process ptrace; 166 167 # allow shell to get battery info 168 allow shell sysfs:dir r_dir_perms; 169 allow shell sysfs_batteryinfo:dir r_dir_perms; 170 allow shell sysfs_batteryinfo:file r_file_perms; 171 172 # Allow access to ion memory allocation device. 173 allow shell ion_device:chr_file rw_file_perms; 174 175 # 176 # filesystem test for insecure chr_file's is done 177 # via a host side test 178 # 179 allow shell dev_type:dir r_dir_perms; 180 allow shell dev_type:chr_file getattr; 181 182 # /dev/fd is a symlink 183 allow shell proc:lnk_file getattr; 184 185 # 186 # filesystem test for insucre blk_file's is done 187 # via hostside test 188 # 189 allow shell dev_type:blk_file getattr; 190 191 # read selinux policy files 192 allow shell file_contexts_file:file r_file_perms; 193 allow shell property_contexts_file:file r_file_perms; 194 allow shell seapp_contexts_file:file r_file_perms; 195 allow shell service_contexts_file:file r_file_perms; 196 allow shell sepolicy_file:file r_file_perms; 197 198 # Allow shell to start up vendor shell 199 allow shell vendor_shell_exec:file rx_file_perms; 200 201 ### 202 ### Neverallow rules 203 ### 204 205 # Do not allow shell to hard link to any files. 206 # In particular, if shell hard links to app data 207 # files, installd will not be able to guarantee the deletion 208 # of the linked to file. Hard links also contribute to security 209 # bugs, so we want to ensure the shell user never has this 210 # capability. 211 neverallow shell file_type:file link; 212 213 # Do not allow privileged socket ioctl commands 214 neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 215 216 # limit shell access to sensitive char drivers to 217 # only getattr required for host side test. 218 neverallow shell { 219 fuse_device 220 hw_random_device 221 kmem_device 222 port_device 223 }:chr_file ~getattr; 224 225 # Limit shell to only getattr on blk devices for host side tests. 226 neverallow shell dev_type:blk_file ~getattr; 227
