2014-02-21 19:45:29 +01:00
|
|
|
# Domain for shell processes spawned by ADB or console service.
|
2015-11-28 04:18:17 +01:00
|
|
|
type shell, domain, mlstrustedsubject;
|
2013-09-27 16:38:14 +02:00
|
|
|
type shell_exec, exec_type, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
|
2014-01-07 18:47:10 +01:00
|
|
|
# Create and use network sockets.
|
|
|
|
net_domain(shell)
|
|
|
|
|
2014-12-15 21:01:35 +01:00
|
|
|
# logcat
|
2014-03-17 21:00:38 +01:00
|
|
|
read_logd(shell)
|
|
|
|
control_logd(shell)
|
2014-12-15 21:01:35 +01:00
|
|
|
# logcat -L (directly, or via dumpstate)
|
|
|
|
allow shell pstorefs:dir search;
|
|
|
|
allow shell pstorefs:file r_file_perms;
|
2014-03-17 21:00:38 +01:00
|
|
|
|
2015-12-02 01:28:28 +01:00
|
|
|
# Root fs.
|
|
|
|
allow shell rootfs:dir r_dir_perms;
|
|
|
|
|
2014-06-05 22:27:44 +02:00
|
|
|
# read files in /data/anr
|
|
|
|
allow shell anr_data_file:dir r_dir_perms;
|
|
|
|
allow shell anr_data_file:file r_file_perms;
|
|
|
|
|
2014-06-11 13:10:09 +02:00
|
|
|
# Access /data/local/tmp.
|
|
|
|
allow shell shell_data_file:dir create_dir_perms;
|
|
|
|
allow shell shell_data_file:file create_file_perms;
|
|
|
|
allow shell shell_data_file:file rx_file_perms;
|
2014-12-10 08:49:31 +01:00
|
|
|
allow shell shell_data_file:lnk_file create_file_perms;
|
2014-06-11 13:10:09 +02:00
|
|
|
|
2018-01-16 01:44:04 +01:00
|
|
|
# Read and delete from /data/local/traces.
|
|
|
|
allow shell trace_data_file:file { r_file_perms unlink };
|
|
|
|
allow shell trace_data_file:dir { r_dir_perms remove_name write };
|
|
|
|
|
2016-05-27 21:41:35 +02:00
|
|
|
# Access /data/misc/profman.
|
|
|
|
allow shell profman_dump_data_file:dir { search getattr write remove_name };
|
|
|
|
allow shell profman_dump_data_file:file { getattr unlink };
|
|
|
|
|
2015-10-29 00:45:58 +01:00
|
|
|
# Read/execute files in /data/nativetest
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow shell nativetest_data_file:dir r_dir_perms;
|
|
|
|
allow shell nativetest_data_file:file rx_file_perms;
|
|
|
|
')
|
|
|
|
|
2014-06-11 13:10:09 +02:00
|
|
|
# adb bugreport
|
|
|
|
unix_socket_connect(shell, dumpstate, dumpstate)
|
|
|
|
|
|
|
|
allow shell devpts:chr_file rw_file_perms;
|
|
|
|
allow shell tty_device:chr_file rw_file_perms;
|
|
|
|
allow shell console_device:chr_file rw_file_perms;
|
2014-06-11 18:09:15 +02:00
|
|
|
allow shell input_device:dir r_dir_perms;
|
2014-06-11 13:10:09 +02:00
|
|
|
allow shell input_device:chr_file rw_file_perms;
|
2015-12-04 18:05:02 +01:00
|
|
|
r_dir_file(shell, system_file)
|
2014-06-11 13:10:09 +02:00
|
|
|
allow shell system_file:file x_file_perms;
|
2015-08-25 17:38:29 +02:00
|
|
|
allow shell toolbox_exec:file rx_file_perms;
|
2017-02-24 20:03:58 +01:00
|
|
|
allow shell tzdatacheck_exec:file rx_file_perms;
|
2014-06-11 13:10:09 +02:00
|
|
|
allow shell shell_exec:file rx_file_perms;
|
|
|
|
allow shell zygote_exec:file rx_file_perms;
|
|
|
|
|
|
|
|
r_dir_file(shell, apk_data_file)
|
|
|
|
|
|
|
|
# Set properties.
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(shell, shell_prop)
|
2015-12-02 03:03:05 +01:00
|
|
|
set_prop(shell, ctl_bugreport_prop)
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(shell, ctl_dumpstate_prop)
|
2015-12-02 03:03:05 +01:00
|
|
|
set_prop(shell, dumpstate_prop)
|
2017-10-19 09:54:49 +02:00
|
|
|
set_prop(shell, exported_dumpstate_prop)
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(shell, debug_prop)
|
|
|
|
set_prop(shell, powerctl_prop)
|
2016-06-01 20:14:14 +02:00
|
|
|
set_prop(shell, log_tag_prop)
|
|
|
|
set_prop(shell, wifi_log_prop)
|
2016-08-10 20:10:02 +02:00
|
|
|
# adjust is_loggable properties
|
2016-04-15 20:10:06 +02:00
|
|
|
userdebug_or_eng(`set_prop(shell, log_prop)')
|
2016-08-10 20:10:02 +02:00
|
|
|
# logpersist script
|
2016-06-06 21:18:46 +02:00
|
|
|
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
|
2014-06-11 13:10:09 +02:00
|
|
|
|
2015-06-24 08:24:17 +02:00
|
|
|
userdebug_or_eng(`
|
|
|
|
# "systrace --boot" support - allow boottrace service to run
|
|
|
|
allow shell boottrace_data_file:dir rw_dir_perms;
|
|
|
|
allow shell boottrace_data_file:file create_file_perms;
|
|
|
|
set_prop(shell, persist_debug_prop)
|
|
|
|
')
|
2014-06-11 13:10:09 +02:00
|
|
|
|
2016-12-29 02:44:33 +01:00
|
|
|
# Read device's serial number from system properties
|
|
|
|
get_prop(shell, serialno_prop)
|
|
|
|
|
2018-03-30 03:21:31 +02:00
|
|
|
# Allow shell to read the vendor security patch level for CTS
|
|
|
|
get_prop(shell, vendor_security_patch_level_prop)
|
|
|
|
|
2017-04-20 19:02:50 +02:00
|
|
|
# Read state of logging-related properties
|
|
|
|
get_prop(shell, device_logging_prop)
|
|
|
|
|
2017-08-14 23:25:10 +02:00
|
|
|
# Read state of boot reason properties
|
|
|
|
get_prop(shell, bootloader_boot_reason_prop)
|
|
|
|
get_prop(shell, last_boot_reason_prop)
|
|
|
|
get_prop(shell, system_boot_reason_prop)
|
|
|
|
|
2015-01-24 00:55:42 +01:00
|
|
|
# allow shell access to services
|
2014-12-31 00:21:50 +01:00
|
|
|
allow shell servicemanager:service_manager list;
|
2015-04-04 01:46:33 +02:00
|
|
|
# don't allow shell to access GateKeeper service
|
2016-10-29 00:52:15 +02:00
|
|
|
# TODO: why is this so broad? Tightening candidate? It needs at list:
|
|
|
|
# - dumpstate_service (so it can receive dumpstate progress updates)
|
2017-09-26 21:58:29 +02:00
|
|
|
allow shell {
|
|
|
|
service_manager_type
|
|
|
|
-gatekeeper_service
|
|
|
|
-incident_service
|
|
|
|
-installd_service
|
|
|
|
-netd_service
|
|
|
|
-virtual_touchpad_service
|
|
|
|
-vold_service
|
|
|
|
-vr_hwc_service
|
|
|
|
}:service_manager find;
|
2016-10-29 00:52:15 +02:00
|
|
|
allow shell dumpstate:binder call;
|
2015-01-16 22:39:59 +01:00
|
|
|
|
2017-01-21 00:19:32 +01:00
|
|
|
# allow shell to get information from hwservicemanager
|
2017-02-14 00:42:42 +01:00
|
|
|
# for instance, listing hardware services with lshal
|
2017-01-21 00:19:32 +01:00
|
|
|
hwbinder_use(shell)
|
2017-04-08 01:14:43 +02:00
|
|
|
allow shell hwservicemanager:hwservice_manager list;
|
2017-01-21 00:19:32 +01:00
|
|
|
|
2017-10-20 21:38:17 +02:00
|
|
|
# allow shell to look through /proc/ for lsmod, ps, top, netstat.
|
2015-12-08 16:07:42 +01:00
|
|
|
r_dir_file(shell, proc_net)
|
2017-11-13 18:50:03 +01:00
|
|
|
|
|
|
|
allow shell {
|
|
|
|
proc_asound
|
|
|
|
proc_filesystems
|
|
|
|
proc_interrupts
|
|
|
|
proc_meminfo
|
|
|
|
proc_modules
|
2017-11-28 17:42:40 +01:00
|
|
|
proc_pid_max
|
2018-04-04 21:59:11 +02:00
|
|
|
proc_qtaguid_stat
|
2017-11-13 18:50:03 +01:00
|
|
|
proc_stat
|
|
|
|
proc_timer
|
|
|
|
proc_uptime
|
|
|
|
proc_version
|
|
|
|
proc_zoneinfo
|
|
|
|
}:file r_file_perms;
|
|
|
|
|
2017-12-12 18:34:13 +01:00
|
|
|
# allow listing network interfaces under /sys/class/net.
|
|
|
|
allow shell sysfs_net:dir r_dir_perms;
|
|
|
|
|
2015-11-28 04:18:17 +01:00
|
|
|
r_dir_file(shell, cgroup)
|
2015-01-16 22:39:59 +01:00
|
|
|
allow shell domain:dir { search open read getattr };
|
|
|
|
allow shell domain:{ file lnk_file } { open read getattr };
|
2014-12-05 06:40:22 +01:00
|
|
|
|
2015-12-23 01:41:27 +01:00
|
|
|
# statvfs() of /proc and other labeled filesystems
|
|
|
|
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
|
|
|
|
allow shell { proc labeledfs }:filesystem getattr;
|
|
|
|
|
|
|
|
# stat() of /dev
|
|
|
|
allow shell device:dir getattr;
|
|
|
|
|
2015-03-16 16:43:22 +01:00
|
|
|
# allow shell to read /proc/pid/attr/current for ps -Z
|
|
|
|
allow shell domain:process getattr;
|
|
|
|
|
2015-12-03 22:28:14 +01:00
|
|
|
# Allow pulling the SELinux policy for CTS purposes
|
|
|
|
allow shell selinuxfs:dir r_dir_perms;
|
|
|
|
allow shell selinuxfs:file r_file_perms;
|
|
|
|
|
2014-12-05 06:40:22 +01:00
|
|
|
# enable shell domain to read/write files/dirs for bootchart data
|
|
|
|
# User will creates the start and stop file via adb shell
|
|
|
|
# and read other files created by init process under /data/bootchart
|
|
|
|
allow shell bootchart_data_file:dir rw_dir_perms;
|
|
|
|
allow shell bootchart_data_file:file create_file_perms;
|
2015-04-16 17:43:10 +02:00
|
|
|
|
2015-10-15 22:35:01 +02:00
|
|
|
# Make sure strace works for the non-privileged shell user
|
|
|
|
allow shell self:process ptrace;
|
|
|
|
|
2016-01-05 23:32:54 +01:00
|
|
|
# allow shell to get battery info
|
2016-01-13 18:02:36 +01:00
|
|
|
allow shell sysfs:dir r_dir_perms;
|
2017-10-13 19:26:44 +02:00
|
|
|
allow shell sysfs_batteryinfo:dir r_dir_perms;
|
|
|
|
allow shell sysfs_batteryinfo:file r_file_perms;
|
2015-12-22 18:40:03 +01:00
|
|
|
|
|
|
|
# Allow access to ion memory allocation device.
|
|
|
|
allow shell ion_device:chr_file rw_file_perms;
|
|
|
|
|
2016-03-24 01:26:42 +01:00
|
|
|
#
|
|
|
|
# filesystem test for insecure chr_file's is done
|
|
|
|
# via a host side test
|
|
|
|
#
|
|
|
|
allow shell dev_type:dir r_dir_perms;
|
|
|
|
allow shell dev_type:chr_file getattr;
|
|
|
|
|
|
|
|
# /dev/fd is a symlink
|
|
|
|
allow shell proc:lnk_file getattr;
|
|
|
|
|
2016-04-05 17:19:27 +02:00
|
|
|
#
|
|
|
|
# filesystem test for insucre blk_file's is done
|
|
|
|
# via hostside test
|
|
|
|
#
|
|
|
|
allow shell dev_type:blk_file getattr;
|
2016-04-28 22:54:48 +02:00
|
|
|
|
2017-04-04 01:31:09 +02:00
|
|
|
# read selinux policy files
|
|
|
|
allow shell file_contexts_file:file r_file_perms;
|
|
|
|
allow shell property_contexts_file:file r_file_perms;
|
|
|
|
allow shell seapp_contexts_file:file r_file_perms;
|
|
|
|
allow shell service_contexts_file:file r_file_perms;
|
|
|
|
allow shell sepolicy_file:file r_file_perms;
|
|
|
|
|
2018-01-11 20:01:30 +01:00
|
|
|
# Allow shell to start up vendor shell
|
|
|
|
allow shell vendor_shell_exec:file rx_file_perms;
|
|
|
|
|
2015-12-22 18:40:03 +01:00
|
|
|
###
|
|
|
|
### Neverallow rules
|
|
|
|
###
|
|
|
|
|
2015-04-16 17:43:10 +02:00
|
|
|
# Do not allow shell to hard link to any files.
|
|
|
|
# In particular, if shell hard links to app data
|
|
|
|
# files, installd will not be able to guarantee the deletion
|
|
|
|
# of the linked to file. Hard links also contribute to security
|
|
|
|
# bugs, so we want to ensure the shell user never has this
|
|
|
|
# capability.
|
|
|
|
neverallow shell file_type:file link;
|
2016-01-05 16:42:16 +01:00
|
|
|
|
|
|
|
# Do not allow privileged socket ioctl commands
|
2016-01-05 18:36:12 +01:00
|
|
|
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
2016-04-28 22:54:48 +02:00
|
|
|
|
2016-03-24 01:26:42 +01:00
|
|
|
# limit shell access to sensitive char drivers to
|
|
|
|
# only getattr required for host side test.
|
|
|
|
neverallow shell {
|
|
|
|
fuse_device
|
|
|
|
hw_random_device
|
|
|
|
kmem_device
|
2016-12-05 00:11:29 +01:00
|
|
|
port_device
|
2016-03-24 01:26:42 +01:00
|
|
|
}:chr_file ~getattr;
|
2016-04-05 17:19:27 +02:00
|
|
|
|
|
|
|
# Limit shell to only getattr on blk devices for host side tests.
|
|
|
|
neverallow shell dev_type:blk_file ~getattr;
|