platform_system_sepolicy/shelldomain.te

# Rules for all shell domains (e.g. console service and adb shell).

# Access /data/local/tmp.
allow shelldomain shell_data_file:dir create_dir_perms;
allow shelldomain shell_data_file:file create_file_perms;
allow shelldomain shell_data_file:file rx_file_perms;

# adb bugreport
unix_socket_connect(shelldomain, dumpstate, dumpstate)

allow shelldomain rootfs:dir r_dir_perms;
allow shelldomain devpts:chr_file rw_file_perms;
allow shelldomain tty_device:chr_file rw_file_perms;
allow shelldomain console_device:chr_file rw_file_perms;
allow shelldomain input_device:chr_file rw_file_perms;
allow shelldomain system_file:file x_file_perms;
allow shelldomain shell_exec:file rx_file_perms;
allow shelldomain zygote_exec:file rx_file_perms;

r_dir_file(shelldomain, apk_data_file)

# Set properties.
unix_socket_connect(shelldomain, property, init)
allow shelldomain shell_prop:property_service set;
allow shelldomain ctl_dumpstate_prop:property_service set;
allow shelldomain debug_prop:property_service set;
allow shelldomain powerctl_prop:property_service set;

# systrace support - allow atrace to run
# debugfs doesn't support labeling individual files, so we have
# to grant read access to all of /sys/kernel/debug.
# Directory read access and file write access is already granted
# in domain.te.
allow shelldomain debugfs:file r_file_perms;

# allow shell to run dmesg
allow shelldomain kernel:system syslog_read;
Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-23 19:25:53 +02:00			`# Rules for all shell domains (e.g. console service and adb shell).`

			`# Access /data/local/tmp.`
			`allow shelldomain shell_data_file:dir create_dir_perms;`
			`allow shelldomain shell_data_file:file create_file_perms;`
			`allow shelldomain shell_data_file:file rx_file_perms;`

			`# adb bugreport`
			`unix_socket_connect(shelldomain, dumpstate, dumpstate)`

			`allow shelldomain rootfs:dir r_dir_perms;`
			`allow shelldomain devpts:chr_file rw_file_perms;`
			`allow shelldomain tty_device:chr_file rw_file_perms;`
			`allow shelldomain console_device:chr_file rw_file_perms;`
			`allow shelldomain input_device:chr_file rw_file_perms;`
			`allow shelldomain system_file:file x_file_perms;`
			`allow shelldomain shell_exec:file rx_file_perms;`
			`allow shelldomain zygote_exec:file rx_file_perms;`

			`r_dir_file(shelldomain, apk_data_file)`

			`# Set properties.`
			`unix_socket_connect(shelldomain, property, init)`
			`allow shelldomain shell_prop:property_service set;`
			`allow shelldomain ctl_dumpstate_prop:property_service set;`
shell: allow setting debug_prop and powerctl_prop Allow the shell user to set debug.* properties. This allows systrace to work on Android. Allow the shell user to set sys.powerctl, to allow reboots to work. Addresses the following denials: <4>[ 2141.449722] avc: denied { set } for property=debug.atrace.tags.enableflags scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service <4>[ 2141.450820] avc: denied { set } for property=debug.atrace.app_cmdlines scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service <4>[ 2141.506703] avc: denied { set } for property=debug.atrace.tags.enableflags scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service <4>[ 2141.507591] avc: denied { set } for property=debug.atrace.app_cmdlines scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service Bug: 12231073 Change-Id: Iaba1db06ba287c7d5d10ce287833c57238e03bb6 2013-12-20 06:55:12 +01:00			`allow shelldomain debug_prop:property_service set;`
			`allow shelldomain powerctl_prop:property_service set;`
Allow shell debugfs read access Developers should be able to use systrace with user builds. This requires read access to /sys/kernel/debug/tracing/trace, otherwise the following error occurs: $ atrace capturing trace... done TRACE: error opening /sys/kernel/debug/tracing/trace: Permission denied (13) with the following SELinux denial: <4>[ 79.830542] type=1400 audit(11940551.039:8): avc: denied { read } for pid=1156 comm="atrace" name="trace" dev="debugfs" ino=3024 scontext=u:r:shell:s0 tcontext=u:object_r:debugfs:s0 tclass=file At least on the kernel I've tested this on, debugfs doesn't support setting SELinux file labels. Grant read access to all of debugfs to work around this limitation. Bug: 13904660 Change-Id: Ib58e98972c5012e9b34fec9e0a6094641638cd9a 2014-04-30 20:35:02 +02:00
			`# systrace support - allow atrace to run`
			`# debugfs doesn't support labeling individual files, so we have`
			`# to grant read access to all of /sys/kernel/debug.`
			`# Directory read access and file write access is already granted`
			`# in domain.te.`
			`allow shelldomain debugfs:file r_file_perms;`
allow shell dmesg Allow the shell user to see the dmesg output. This data is already available via "adb bugreport", but isn't easy to access. Bug: 10020939 Change-Id: I9d4bbbd41cb02b707cdfee79f826a39c1ec2f177 2014-05-28 01:49:59 +02:00
			`# allow shell to run dmesg`
			`allow shelldomain kernel:system syslog_read;`