tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/public/shell.te

185 lines
5.7 KiB
Text
Raw Normal View History

Clarify init_shell, shell, and su domain usage. init_shell domain is now only used for shell commands or scripts invoked by init*.rc files, never for an interactive shell. It was being used for console service for a while but console service is now assigned shell domain via seclabel in init.rc. We may want to reconsider the shelldomain rules for init_shell and whether they are still appropriate. shell domain is now used by both adb shell and console service, both of which also run in the shell UID. su domain is now used not only for /system/bin/su but also for adbd and its descendants after an adb root is performed. Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-21 19:45:29 +01:00
# Domain for shell processes spawned by ADB or console service.
Remove domain_deprecated from adbd and shell The extra permissions are not needed. Delete them. This change also adds read permission for /data/misc/zoneinfo back to all domains. libc refernces this directory for timezone related files, and it feels dangerous and of little value to try to restrict access. In particular, this causes problems when the shell user attempts to run "ls -la" to show file time stamps in the correct timezone. Bug: 25433265 Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
2015-11-28 04:18:17 +01:00
type shell, domain, mlstrustedsubject;
Make sure exec_type is assigned to all entrypoint types. Some file types used as domain entrypoints were missing the exec_type attribute. Add it and add a neverallow rule to keep it that way. Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-27 16:38:14 +02:00
type shell_exec, exec_type, file_type;
SE Android policy.
2012-01-04 18:33:27 +01:00
Remove ping domain. ping in Android no longer requires any additional privileges beyond the caller. Drop the ping domain and executable file type entirely. Also add net_domain() to shell domain so that it can create and use network sockets. Change-Id: If51734abe572aecf8f510f1a55782159222e5a67 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-07 18:47:10 +01:00
# Create and use network sockets.
net_domain(shell)
SE Android policy.
2012-01-04 18:33:27 +01:00
# Run app_process.
Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 19:25:53 +02:00
# XXX Transition into its own domain?
SE Android policy.
2012-01-04 18:33:27 +01:00
app_domain(shell)
Restrict the ability to set SELinux enforcing mode to init. Also make su and shell permissive in non-user builds to allow use of setenforce without violating the neverallow rule. Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-02 20:18:11 +01:00
selinux: add pstore Used to record the Android log messages, then on reboot provide a means to triage user-space actitivies leading up to a panic. A companion to the pstore console logs. Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
2014-12-15 21:01:35 +01:00
# logcat
shell: access to clear logs Bug: 13464830 Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d
2014-03-17 21:00:38 +01:00
read_logd(shell)
control_logd(shell)
selinux: add pstore Used to record the Android log messages, then on reboot provide a means to triage user-space actitivies leading up to a panic. A companion to the pstore console logs. Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
2014-12-15 21:01:35 +01:00
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;
logd: logpersistd - Enable logpersistd to write to /data/misc/logd - Enable logpersistd to read from pstore to help complete any content lost by reboot disruption - Enable shell readonly ability logpersistd files in /data/misc/logd - Enable logcat -f when placed into logd context to act as a logpersistd (nee logcatd) agent, restrict access to run only in userdebug or eng Bug: 19608716 Change-Id: I3209582bc796a1093c325c90068a48bf268e5ab5
2015-05-27 00:12:45 +02:00
# logpersistd (nee logcatd) files
Enforce no persistent logging on user builds For userdebug and eng builds enforce that: - only logd and shell domains may access logd files - logd is only allowed to write to /data/misc/logd Change-Id: Ie909cf701fc57109257aa13bbf05236d1777669a
2015-09-22 01:22:21 +02:00
userdebug_or_eng(`
allow shell misc_logd_file:dir r_dir_perms;
allow shell misc_logd_file:file r_file_perms;
')
shell: access to clear logs Bug: 13464830 Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d
2014-03-17 21:00:38 +01:00
Add permissions back to app / shell domains Allow directory reads to allow tab completion in rootfs to work. "pm" is crashing due to failure to access /data/dalvik-cache. Add back in the permissions from domain_deprecated. Allow /sdcard to work again. Bug: 25954400 Change-Id: I48cfa92fabfa47ed3007a63b85284659ba94ea73
2015-12-02 01:28:28 +01:00
# Root fs.
allow shell rootfs:dir r_dir_perms;
Allow adbd / shell /data/anr access The shell user needs to be able to run commands like "cat /data/anr/traces.txt". Allow it. We also need to be able to pull the file via adb. "adb pull /data/anr/traces.txt". Allow it. Addresses the following denials: <4>[ 20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file Bug: 15450720 Change-Id: I767102a7182895112838559b0ade1cd7c14459ab
2014-06-05 22:27:44 +02:00
# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
allow shell anr_data_file:file r_file_perms;
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 13:10:09 +02:00
# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
add permissions for adb shell to create symlinks in /data/local/tmp Bug: 18485243 Change-Id: Ic17baa0767ee1f1a27a3338558b86482ca92765e
2014-12-10 08:49:31 +01:00
allow shell shell_data_file:lnk_file create_file_perms;
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 13:10:09 +02:00
SELinux policy for /data/misc/profman Bug: 28748264 Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5
2016-05-27 21:41:35 +02:00
# Access /data/misc/profman.
allow shell profman_dump_data_file:dir { search getattr write remove_name };
allow shell profman_dump_data_file:file { getattr unlink };
Create a new SELinux type for /data/nativetest 1) Don't use the generic "system_data_file" for the files in /data/nativetest. Rather, ensure it has it's own special label. This allows us to distinguish these files from other files in SELinux policy. 2) Allow the shell user to execute files from /data/nativetest, on userdebug or eng builds only. 3) Add a neverallow rule (compile time assertion + CTS test) that nobody is allowed to execute these files on user builds, and only the shell user is allowed to execute these files on userdebug/eng builds. Bug: 25340994 Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413
2015-10-29 00:45:58 +01:00
# Read/execute files in /data/nativetest
userdebug_or_eng(`
allow shell nativetest_data_file:dir r_dir_perms;
allow shell nativetest_data_file:file rx_file_perms;
')
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 13:10:09 +02:00
# adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate)
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
Allow shell to read/search /dev/input directory. Resolves denials such as: avc: denied { read } for pid=16758 comm="getevent" name="input" dev="tmpfs" ino=6018 scontext=u:r:shell:s0 tcontext=u:object_r:input_device:s0 tclass=dir Change-Id: I709bd20a03a5271382b191393d55a34b0b8e4e0c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 18:09:15 +02:00
allow shell input_device:dir r_dir_perms;
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 13:10:09 +02:00
allow shell input_device:chr_file rw_file_perms;
shell.te: Allow read access to system_file Certain tests depend on the ability to examine directories in /system. Allow it to the shell user. Addresses the following denials: avc: denied { read } for name="egl" dev="dm-1" ino=104 scontext=u:r:shell:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 Bug: 26020967 Bug: 26023420 Change-Id: I509d921e159e99164c85fae9e8b2982a47573d14
2015-12-04 18:05:02 +01:00
r_dir_file(shell, system_file)
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 13:10:09 +02:00
allow shell system_file:file x_file_perms;
Only allow toolbox exec where /system exec was already allowed. When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 17:38:29 +02:00
allow shell toolbox_exec:file rx_file_perms;
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 13:10:09 +02:00
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
r_dir_file(shell, apk_data_file)
# Set properties.
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-05 03:22:45 +02:00
set_prop(shell, shell_prop)
Increase communication surface between dumpstate and Shell: - Add a new 'dumpstate' context for system properties. This context will be used to share state between dumpstate and Shell. For example, as dumpstate progresses, it will update a system property, which Shell will use to display the progress in the UI as a system notification. The user could also rename the bugreport file, in which case Shell would use another system property to communicate such change to dumpstate. - Allow Shell to call 'ctl.bugreport stop' so the same system notification can be used to stop dumpstate. BUG: 25794470 Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
2015-12-02 03:03:05 +01:00
set_prop(shell, ctl_bugreport_prop)
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-05 03:22:45 +02:00
set_prop(shell, ctl_dumpstate_prop)
Increase communication surface between dumpstate and Shell: - Add a new 'dumpstate' context for system properties. This context will be used to share state between dumpstate and Shell. For example, as dumpstate progresses, it will update a system property, which Shell will use to display the progress in the UI as a system notification. The user could also rename the bugreport file, in which case Shell would use another system property to communicate such change to dumpstate. - Allow Shell to call 'ctl.bugreport stop' so the same system notification can be used to stop dumpstate. BUG: 25794470 Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
2015-12-02 03:03:05 +01:00
set_prop(shell, dumpstate_prop)
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-05 03:22:45 +02:00
set_prop(shell, debug_prop)
set_prop(shell, powerctl_prop)
Allow shell to set log.tag.* properties Also allow shell to set persist.log.tag.* Bug: 28942894 Change-Id: Ifdb2c87871f159dd15338db372921297aea3bc6b
2016-06-01 20:14:14 +02:00
set_prop(shell, log_tag_prop)
set_prop(shell, wifi_log_prop)
limit shell's access to log.* properties Restrict the ability of the shell to set the log.* properties. Namely: only allow the shell to set such properities on eng and userdebug builds. The shell (and other domains) can continue to read log.* properties on all builds. While there: harmonize permissions for log.* and persist.log.tag. Doing so introduces two changes: - log.* is now writable from from |system_app|. This mirrors the behavior of persist.log.tag, which is writable to support "Developer options" -> "Logger buffer sizes" -> "Off". (Since this option is visible on user builds, the permission is enabled for all builds.) - persist.log.tag can now be set from |shell| on userdebug_or_eng(). BUG=28221972 TEST=manual (see below) Testing details - user build (log.tag) $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag <blank line> $ adb bugreport | grep log.tag.foo [ 146.525836] init: avc: denied { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0 [ 146.525878] init: sys_prop: permission denied uid:2000 name:log.tag.foo - userdebug build (log.tag) $ adb shell getprop log.tag.foo <blank line> $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag.foo V - user build (persist.log.tag) $ adb shell getprop | grep log.tag <no match> - Developer options -> Logger buffer sizes -> Off $ adb shell getprop | grep log.tag [persist.log.tag]: [Settings] [persist.log.tag.snet_event_log]: [I] Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75
2016-04-15 20:10:06 +02:00
userdebug_or_eng(`set_prop(shell, log_prop)')
logpersist: reserve persist.logd.logpersistd shell, system_app and logd access granted on debug builds only Bug: 28936216 Change-Id: Ib9648e8565cc0ea0077cf0950b0e4ac6fe0a3135
2016-06-06 21:18:46 +02:00
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 13:10:09 +02:00
# systrace support - allow atrace to run
label /sys/kernel/debug/tracing and remove debugfs write Start labeling the directory /sys/kernel/debug/tracing. The files in this directory need to be writable to the shell user. Remove global debugfs:file write access. This was added in the days before we could label individual debugfs files. Change-Id: I79c1fcb63b4b9b903dcabd99b6b25e201fe540a3
2015-12-14 22:57:26 +01:00
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file rw_file_perms;
init.te: allow writing to /sys/kernel/debug/tracing/tracing_on Needed to disable tracing. See frameworks/native/cmds/atrace/atrace.rc Also allow shell getattr access to the tracing file. That way "ls -la" returns something meaningful. Bug: 26217098 Change-Id: I4eee1aff1127db8945612133c8ae16c34cfbb786
2015-12-16 21:50:06 +01:00
allow shell debugfs_trace_marker:file getattr;
Add SELinux settings to support tracing during boot. This CL adds the SELinux settings required to support tracing during boot. https://android-review.googlesource.com/#/c/157163/ BUG: 21739901 Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0
2015-06-24 08:24:17 +02:00
allow shell atrace_exec:file rx_file_perms;
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;
allow shell boottrace_data_file:file create_file_perms;
set_prop(shell, persist_debug_prop)
')
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 13:10:09 +02:00
# allow shell to run dmesg
allow shell kernel:system syslog_read;
Allow dumpstate and shell to list services. Addresses the following denials: avc: denied { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager avc: denied { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager Bug: 18864737 Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
2014-12-31 00:21:50 +01:00
Allow shell to find all services. dumpsys from shell results in many denials: 11-08 02:52:13.087 171 171 E SELinux : avc: denied { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.089 171 171 E SELinux : avc: denied { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager 11-08 02:52:13.093 171 171 E SELinux : avc: denied { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager 11-08 02:52:13.103 171 171 E SELinux : avc: denied { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.104 171 171 E SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.114 171 171 E SELinux : avc: denied { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.114 171 171 E SELinux : avc: denied { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.118 171 171 E SELinux : avc: denied { find } for service=nfc scontext=u:r:shell:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager 11-08 02:52:13.130 171 171 E SELinux : avc: denied { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.379 171 171 E SELinux : avc: denied { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager 11-08 02:52:13.388 171 171 E SELinux : avc: denied { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager 11-08 02:52:13.574 171 171 E SELinux : avc: denied { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.576 171 171 E SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager 11-08 02:52:13.712 171 171 E SELinux : avc: denied { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.712 171 171 E SELinux : avc: denied { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager Bug: 18799966 Change-Id: Id2bf69230338ac9dd45dc5d70f419fa41056e4fc
2015-01-24 00:55:42 +01:00
# allow shell access to services
Allow dumpstate and shell to list services. Addresses the following denials: avc: denied { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager avc: denied { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager Bug: 18864737 Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
2014-12-31 00:21:50 +01:00
allow shell servicemanager:service_manager list;
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
2015-04-04 01:46:33 +02:00
# don't allow shell to access GateKeeper service
Revert "Revert "netd: restrict netd binder access to system_server"" This reverts commit b5594c2781c1bd03a083c77164f0809ed4a69422. Bug: 27239233 Change-Id: I407a2f3a313f3de801080f9bae46f6bac1a803c2
2016-03-02 14:57:34 +01:00
allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;
Allow shell to read /proc. Grant shell read access to /proc taken away by commit: 0d3f7ddc70572382edec58841b3d6262abf49f49 Addresses the following denials encountered when running ps or top. Bug: 18799966 Change-Id: If764adeade562d884c3d710f1cd1cb34011efe89
2015-01-16 22:39:59 +01:00
shell.te: Restore /proc/net access The removal of domain_deprecated from the shell user in https://android-review.googlesource.com/184260 removed /proc/net access. Restore it. Bug: 26075092 Change-Id: Iac21a1ec4b9e769c068bfdcdeeef8a7dbc93c593
2015-12-08 16:07:42 +01:00
# allow shell to look through /proc/ for ps, top, netstat
Remove domain_deprecated from adbd and shell The extra permissions are not needed. Delete them. This change also adds read permission for /data/misc/zoneinfo back to all domains. libc refernces this directory for timezone related files, and it feels dangerous and of little value to try to restrict access. In particular, this causes problems when the shell user attempts to run "ls -la" to show file time stamps in the correct timezone. Bug: 25433265 Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
2015-11-28 04:18:17 +01:00
r_dir_file(shell, proc)
shell.te: Restore /proc/net access The removal of domain_deprecated from the shell user in https://android-review.googlesource.com/184260 removed /proc/net access. Restore it. Bug: 26075092 Change-Id: Iac21a1ec4b9e769c068bfdcdeeef8a7dbc93c593
2015-12-08 16:07:42 +01:00
r_dir_file(shell, proc_net)
restrict access to timing information in /proc These APIs expose sensitive information via timing side channels. This leaves access via the adb shell intact along with the current uses by dumpstate, init and system_server. The /proc/interrupts and /proc/stat files were covered in this paper: https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/ The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are also relevant. Access to /proc has been greatly restricted since then, with untrusted apps no longer having direct access to these, but stricter restrictions beyond that would be quite useful. Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
2016-07-29 20:48:19 +02:00
allow shell proc_interrupts:file r_file_perms;
Allow shell to read /proc/meminfo. Bug: 28165026 Change-Id: I3deecd692b348dbb28bf1d36a88696e4bc1db92d
2016-04-13 19:20:41 +02:00
allow shell proc_meminfo:file r_file_perms;
restrict access to timing information in /proc These APIs expose sensitive information via timing side channels. This leaves access via the adb shell intact along with the current uses by dumpstate, init and system_server. The /proc/interrupts and /proc/stat files were covered in this paper: https://www.lightbluetouchpaper.org/2016/07/29/yet-another-android-side-channel/ The /proc/softirqs, /proc/timer_list and /proc/timer_stats files are also relevant. Access to /proc has been greatly restricted since then, with untrusted apps no longer having direct access to these, but stricter restrictions beyond that would be quite useful. Change-Id: Ibed16674856569d26517e5729f0f194b830cfedd
2016-07-29 20:48:19 +02:00
allow shell proc_stat:file r_file_perms;
allow shell proc_timer:file r_file_perms;
fine-grained policy for access to /proc/zoneinfo Change-Id: Ica9a16311075f5cc3744d0e0833ed876e201029f
2016-08-08 19:48:01 +02:00
allow shell proc_zoneinfo:file r_file_perms;
Remove domain_deprecated from adbd and shell The extra permissions are not needed. Delete them. This change also adds read permission for /data/misc/zoneinfo back to all domains. libc refernces this directory for timezone related files, and it feels dangerous and of little value to try to restrict access. In particular, this causes problems when the shell user attempts to run "ls -la" to show file time stamps in the correct timezone. Bug: 25433265 Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
2015-11-28 04:18:17 +01:00
r_dir_file(shell, cgroup)
Allow shell to read /proc. Grant shell read access to /proc taken away by commit: 0d3f7ddc70572382edec58841b3d6262abf49f49 Addresses the following denials encountered when running ps or top. Bug: 18799966 Change-Id: If764adeade562d884c3d710f1cd1cb34011efe89
2015-01-16 22:39:59 +01:00
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
bootchart: add policy rules for bootchart allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2014-12-05 06:40:22 +01:00
undeprecate /proc/cpuinfo, more shell permissions Access to /proc/cpuinfo was moved to domain_deprecated in commit 6e3506e1ba83fb47297c8908016397c8f17840c4. Restore access to everyone. Allow the shell user to stat() /dev, and vfsstat() /proc and other labeled filesystems such as /system and /data. Access to /proc/cpuinfo was explicitly granted to bootanim, but is no longer required after moving it back to domain.te. Delete the redundant entry. Commit 4e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9 restored access to /sys/devices/system/cpu for all domains, but forgot to remove the redundant entry from bootanim.te. Cleanup the redundant entry. Addresses the following denials: avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0 avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0 avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0 avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0 Bug: 26295417 Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
2015-12-23 01:41:27 +01:00
# statvfs() of /proc and other labeled filesystems
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
allow shell { proc labeledfs }:filesystem getattr;
# stat() of /dev
allow shell device:dir getattr;
Allow shell to read /proc/pid/attr/current for ps -Z. Needed since Iff1e601e1268d4d77f64788d733789a2d2cd18cc removed it from appdomain. Change-Id: I9fc08b525b9868f0fb703b99b0c0c17ca8b656f9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-16 16:43:22 +01:00
# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;
shell.te: allow pulling the currently running SELinux policy Allow pulling the currently running SELinux policy for CTS. Change-Id: I82ec03724a8e5773b3b693c4f39cc7b5c3ae4516
2015-12-03 22:28:14 +01:00
# Allow pulling the SELinux policy for CTS purposes
allow shell selinuxfs:dir r_dir_perms;
allow shell selinuxfs:file r_file_perms;
bootchart: add policy rules for bootchart allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2014-12-05 06:40:22 +01:00
# enable shell domain to read/write files/dirs for bootchart data
# User will creates the start and stop file via adb shell
# and read other files created by init process under /data/bootchart
allow shell bootchart_data_file:dir rw_dir_perms;
allow shell bootchart_data_file:file create_file_perms;
neverallow shell file_type:file link Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e
2015-04-16 17:43:10 +02:00
allow shell self:process ptrace; Allow the non-privileged adb shell user to run strace. Without this patch, the command "strace /system/bin/ls" fails with the following error: shell@android:/ $ strace /system/bin/ls strace: ptrace(PTRACE_TRACEME, ...): Permission denied +++ exited with 1 +++ Change-Id: I207fe0f71941bff55dbeb6fe130e636418f333ee
2015-10-15 22:35:01 +02:00
# Make sure strace works for the non-privileged shell user
allow shell self:process ptrace;
Add sysfs_batteryinfo label. Shell user needs to be able to get current device battery_level via /sys/class/power_supply/battery/capacity. Create a global label and corresponding policy for accessing this. Rely on each device to label the appropriate sysfs entry. Bug: 26219114 Change-Id: I2c5ef489a9db2fdf7bbd5afd04278214b814351c
2016-01-05 23:32:54 +01:00
# allow shell to get battery info
allow shell sysfs_batteryinfo:file r_file_perms;
Allow shell to read sysfs dirs. Bug: 26219114 Change-Id: I300899d610258704eb2d45488700eadb7a686606
2016-01-13 18:02:36 +01:00
allow shell sysfs:dir r_dir_perms;
shell.te: allow rules before neverallow rules By convention, allow rules should be placed before neverallow rules. Change-Id: Icb9155bcce1f77bebbf9dc83a8c7b97e161c88a5
2015-12-22 18:40:03 +01:00
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
Allow shell and adbd access to media_rw_data_file for now. With sdcardfs, we no longer have a separate sdcardd acting as an intermediate between the outside world and /data/media. Unless we modify sdcardfs to change contexts, we need these. Remove this patch if sdcardfs is updated to change the secontext of fs accesses. Bug: 27925072 Change-Id: I3ad37c0f12836249c83042bdc1111b6360f22b3c
2016-03-31 03:02:04 +02:00
# Access to /data/media.
Allow access to media_rw_data_file for now. With sdcardfs, we no longer have a separate sdcardd acting as an intermediate between the outside world and /data/media. Unless we modify sdcardfs to change contexts, we need these. Added for: adbd, kernel, mediaserver, and shell Remove this patch if sdcardfs is updated to change the secontext of fs accesses. Bug: 27915475 Bug: 27937873 Change-Id: I25edcfc7fb8423b3184db84040bda790a1042724
2016-03-31 22:53:42 +02:00
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
Allow shell and adbd access to media_rw_data_file for now. With sdcardfs, we no longer have a separate sdcardd acting as an intermediate between the outside world and /data/media. Unless we modify sdcardfs to change contexts, we need these. Remove this patch if sdcardfs is updated to change the secontext of fs accesses. Bug: 27925072 Change-Id: I3ad37c0f12836249c83042bdc1111b6360f22b3c
2016-03-31 03:02:04 +02:00
allow shell media_rw_data_file:dir create_dir_perms;
allow shell media_rw_data_file:file create_file_perms;
shell: enable hostside test: testAllCharacterDevicesAreSecure Enable shell to have access to /dev for running the world accessable mode test on /dev. This approach adds shell to the list of excluded domains on neverallows around chr_files, but locks down the access for shell to only getattr. It was done this lightly more complicated way to prevent loosening the allow rules so that any domain would have getattr permissions. Change-Id: Idab466fa226ddbf004fcb1bbcaf98c8326605253
2016-03-24 01:26:42 +01:00
#
# filesystem test for insecure chr_file's is done
# via a host side test
#
allow shell dev_type:dir r_dir_perms;
allow shell dev_type:chr_file getattr;
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
shell: enable hostside test: testAllBlockDevicesAreSecure Enable rules to allow shell to getattr on all block files for checking modes under /dev/block. Exempt shell from any neverallows on blk_file and limit them to only getattr. bug: 28306036 Change-Id: Ic26c0f7acfb238ff78d5d3537d51c1a70c64d196 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-04-05 17:19:27 +02:00
#
# filesystem test for insucre blk_file's is done
# via hostside test
#
allow shell dev_type:blk_file getattr;
resolve merge conflicts of 9221e73 to nyc-dev-plus-aosp Change-Id: I4afb6e977955af3d8a74ada7df6705746f83bc6d
2016-04-28 22:54:48 +02:00
shell.te: allow rules before neverallow rules By convention, allow rules should be placed before neverallow rules. Change-Id: Icb9155bcce1f77bebbf9dc83a8c7b97e161c88a5
2015-12-22 18:40:03 +01:00
###
### Neverallow rules
###
neverallow shell file_type:file link Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e
2015-04-16 17:43:10 +02:00
# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure the shell user never has this
# capability.
neverallow shell file_type:file link;
shell: Reduce socket ioctl perms Only allow shell to access the same subset of ioctl commands as untrusted_app. This reduces the attack surface of the kernel available to a local attacker. Bug: 26324307 Bug: 26267358 Change-Id: Ib8ecb9546af5fb480d2622149d4e00ec50cd4cde
2016-01-05 16:42:16 +01:00
# Do not allow privileged socket ioctl commands
expand scope of priv_sock_ioctls neverallows From self to domain Change-Id: I97aeea67a6b66bc307715a050cf7699e5be9715e
2016-01-05 18:36:12 +01:00
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
resolve merge conflicts of 9221e73 to nyc-dev-plus-aosp Change-Id: I4afb6e977955af3d8a74ada7df6705746f83bc6d
2016-04-28 22:54:48 +02:00
shell: enable hostside test: testAllCharacterDevicesAreSecure Enable shell to have access to /dev for running the world accessable mode test on /dev. This approach adds shell to the list of excluded domains on neverallows around chr_files, but locks down the access for shell to only getattr. It was done this lightly more complicated way to prevent loosening the allow rules so that any domain would have getattr permissions. Change-Id: Idab466fa226ddbf004fcb1bbcaf98c8326605253
2016-03-24 01:26:42 +01:00
# limit shell access to sensitive char drivers to
# only getattr required for host side test.
neverallow shell {
fuse_device
hw_random_device
kmem_device
}:chr_file ~getattr;
shell: enable hostside test: testAllBlockDevicesAreSecure Enable rules to allow shell to getattr on all block files for checking modes under /dev/block. Exempt shell from any neverallows on blk_file and limit them to only getattr. bug: 28306036 Change-Id: Ic26c0f7acfb238ff78d5d3537d51c1a70c64d196 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-04-05 17:19:27 +02:00
# Limit shell to only getattr on blk devices for host side tests.
neverallow shell dev_type:blk_file ~getattr;
Reference in a new issue Copy permalink