tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/shell.te

512 lines
17 KiB
Text
Raw Normal View History

Make cross-user apps mlstrustedsubject. We have various apps which inherently work across all users, configured in seapp_contexts with levelFrom=None (usually implicitly). This change marks those apps, where they have private data files, as mlstrustedsubject, to allow us to increase restrictions on cross-user access without breaking them. Currently these apps are granted full access to [priv_]app__data_file via TE rules, but are blocked from calling open (etc) by mls rules (they don't have a matching level). This CL changes things round so they are granted access by mls, but blocked from calling open by TE rules; the overall effect is thus the same - they do not have access. A neverallow rule is added to ensure this remains true. Note that there are various vendor apps which are appdomain, levelFrom=None; they will also need modified policy. Test: builds, boots, no new denials. Bug: 141677108 Change-Id: Ic14f24ec6e8cbfda7a775adf0c350b406d3a197e
2020-02-11 15:43:05 +01:00
typeattribute shell coredomain, mlstrustedsubject;
Vendor domains must not use Binder On PRODUCT_FULL_TREBLE devices, non-vendor domains (except vendor apps) are not permitted to use Binder. This commit thus: * groups non-vendor domains using the new "coredomain" attribute, * adds neverallow rules restricting Binder use to coredomain and appdomain only, and * temporarily exempts the domains which are currently violating this rule from this restriction. These domains are grouped using the new "binder_in_vendor_violators" attribute. The attribute is needed because the types corresponding to violators are not exposed to the public policy where the neverallow rules are. Test: mmm system/sepolicy Test: Device boots, no new denials Test: In Chrome, navigate to ip6.me, play a YouTube video Test: YouTube: play a video Test: Netflix: play a movie Test: Google Camera: take a photo, take an HDR+ photo, record video with sound, record slow motion video with sound. Confirm videos play back fine and with sound. Bug: 35870313 Change-Id: I0cd1a80b60bcbde358ce0f7a47b90f4435a45c95
2017-03-23 22:27:32 +01:00
Allow shell access on /dev/uhid node Node for /dev/uhid driver needs to be accessible by shell for the 'hid' command in frameworks/base/cmds. This CL is in support of another CL c/2048848, topic 'Refactor hid command in /frameworks/base/cmds' in internal master. Bug: 34052337 Test: CTS test for GamepadTestCase#testButtonA; Checked that cat /dev/uhid does not raise permission error. Change-Id: I861c1226b4a67272af7c2a93d7811bf87a083478
2017-05-11 04:37:06 +02:00
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
# systrace support - allow atrace to run
Use a whitelisting strategy for tracefs. This changes tracefs files to be default-enabled in debug mode, but default-disabled with specific files enabled in user mode. Bug: 64762598 Test: Successfully took traces in user mode. Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-01-31 03:14:45 +01:00
allow shell debugfs_tracing_debug:dir r_dir_perms;
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
allow shell debugfs_tracing:dir r_dir_perms;
Move file labeling to genfs_contexts. This should improve performance, as file_contexts is slower than genfs_contexts. Bug: 62413700 Test: Built, flashed, and booted Sailfish. Verified that the files have the correct context and that wifi, web, and atrace work. Merged-In: Ia28707ec565a0792bc882fbffe9e8ab9968535f5 Change-Id: I9546f3af3c95e3443684ae4764881b69987611ef
2017-07-27 01:22:50 +02:00
allow shell debugfs_tracing:file rw_file_perms;
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317
2016-10-12 23:58:09 +02:00
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
Add selinux rules for additional file contexts in userdebug These rules allow the additional tracepoints we need for running traceur in userdebug builds to be writeable. Bug: 37110010 Test: I'm testing by running atrace -l and confirming that the tracepoints that I'm attempting to enable are available. Change-Id: Ia352100ed67819ae5acca2aad803fa392d8b80fd
2017-04-14 21:12:50 +02:00
userdebug_or_eng(`
resolve merge conflicts of 27c0aa7a to stage-aosp-master Test: I solemnly swear I tested this conflict resolution. Merged-In: Ia28707ec565a0792bc882fbffe9e8ab9968535f5 Change-Id: I1f087fe5e7a71761a16673331619f52998473b44
2017-07-27 18:50:25 +02:00
allow shell debugfs_tracing_debug:file rw_file_perms;
Add selinux rules for additional file contexts in userdebug These rules allow the additional tracepoints we need for running traceur in userdebug builds to be writeable. Bug: 37110010 Test: I'm testing by running atrace -l and confirming that the tracepoints that I'm attempting to enable are available. Change-Id: Ia352100ed67819ae5acca2aad803fa392d8b80fd
2017-04-14 21:12:50 +02:00
')
Use a whitelisting strategy for tracefs. This changes tracefs files to be default-enabled in debug mode, but default-disabled with specific files enabled in user mode. Bug: 64762598 Test: Successfully took traces in user mode. Change-Id: I572ea22253e0c1e42065fbd1d2fd7845de06fceb
2018-01-31 03:14:45 +01:00
# read config.gz for CTS purposes
allow shell config_gz:file r_file_perms;
Allow shell and adb to read tombstones tombstones are now openable by these domains: allow adbd tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads }; allow adbd tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads }; allow dumpstate tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads }; allow dumpstate tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads }; allow init tombstone_data_file:dir { add_name create getattr ioctl open read relabelfrom relabelto remove_name rmdir search setattr write }; allow init tombstone_data_file:fifo_file { create getattr open read relabelfrom relabelto setattr unlink }; allow init tombstone_data_file:file { create getattr map open read relabelfrom relabelto setattr unlink write }; allow init tombstone_data_file:sock_file { create getattr open read relabelfrom relabelto setattr unlink }; allow shell tombstone_data_file:dir { getattr ioctl lock open read search watch watch_reads }; allow shell tombstone_data_file:file { getattr ioctl lock map open read watch watch_reads }; allow system_server tombstone_data_file:dir { add_name getattr ioctl lock open read remove_name search watch watch_reads write }; allow system_server tombstone_data_file:file { append create getattr ioctl lock map open read rename setattr unlink watch watch_reads write }; allow tombstoned tombstone_data_file:dir { add_name getattr ioctl lock open read remove_name search watch watch_reads write }; allow tombstoned tombstone_data_file:file { append create getattr ioctl link lock map open read rename setattr unlink watch watch_reads write }; Test: adb unroot, ls, cat, adb pull Bug: 312740614 Change-Id: I4a1af4fbdc48c5c5f4b0b33f124cea31af74dd87
2024-02-14 19:54:58 +01:00
# allow reading tombstones. users can already use bugreports to get those.
allow shell tombstone_data_file:dir r_dir_perms;
allow shell tombstone_data_file:file r_file_perms;
Restore app_domain macro and move to private use. app_domain was split up in commit: 2e00e6373faa6271d7839d33c5b9e69d998ff020 to enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit: 76035ea01971156895cf0d8efc1876bfa2025bd6) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
2016-12-08 20:23:34 +01:00
# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
storaged: allow shell to call dumpsys storaged Test: adb kill-server && adb shell dumpsys storaged Bug: 36492915 Change-Id: I3a1a2ad2f016ddd5770d585cae82c8be69001df9
2017-03-23 20:28:20 +01:00
# allow shell to call dumpsys storaged
binder_call(shell, storaged)
Further restrict SELinux API access Remove SELinux access from domain_deprecated. Access to SELinux APIs can be granted on a per-domain basis. Remove appdomain access to SELinux APIs. SELinux APIs are not public and are not intended for application use. In particular, some exploits poll on /sys/fs/selinux/enforce to determine if the attack was successful, and we want to ensure that the behavior isn't allowed. This access was only granted in the past for CTS purposes, but all the relevant CTS tests have been moved to the shell domain. Bug: 27756382 Bug: 28760354 Test: Device boots and no obvious problems. No collected denials. Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b
2017-05-08 18:51:59 +02:00
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
Perfetto SELinux policies Perfetto is a performance instrumentation and logging framework, living in AOSP's /external/pefetto. Perfetto introduces in the system one binary and two daemons (the binary can specialize in either depending on the cmdline). 1) traced: unprivileged daemon. This is architecturally similar to logd. It exposes two UNIX sockets: - /dev/socket/traced_producer : world-accessible, allows to stream tracing data. A tmpfs file descriptor is sent via SCM_RIGHTS from traced to each client process, which needs to be able to mmap it R/W (but not X) - /dev/socket/traced_consumer : privilege-accessible (only from: shell, statsd). It allows to configure tracing and read the trace buffer. 2) traced_probes: privileged daemon. This needs to: - access tracingfs (/d/tracing) to turn tracing on and off. - exec atrace - connect to traced_producer to stream data to traced. init.rc file: https://android-review.googlesource.com/c/platform/external/perfetto/+/575382/14/perfetto.rc Bug: 70942310 Change-Id: Ia3b5fdacbd5a8e6e23b82f1d6fabfa07e4abc405
2017-12-21 03:51:15 +01:00
# Control Perfetto traced and obtain traces from it.
# Needed for Studio and debugging.
unix_socket_connect(shell, traced_consumer, traced)
# Allow shell binaries to write trace data to Perfetto. Used for testing and
# cmdline utils.
Allow Java domains to be Perfetto producers. This is needed to get Java heap graphs. Test: flash aosp; profile system_server with setenforce 1 Bug: 136210868 Change-Id: I87dffdf28d09e6ce5f706782422510c615521ab3
2019-10-08 17:15:14 +02:00
perfetto_producer(shell)
Allow shell to start vendor shell Test: adb shell /vendor/bin/sh Fixes: 65448858 Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6
2018-01-11 20:01:30 +01:00
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
# Allow shell binaries to exec the perfetto cmdline util and have that
# transition into its own domain, so that it behaves consistently to
# when exec()-d by statsd.
domain_auto_trans(shell, perfetto_exec, perfetto)
Allow to signal perfetto from shell. When daemonizing perfetto, SIGINT should be sent to ensure clean shutdown. Denial: 12-06 11:12:16.566 3099 3099 I sh : type=1400 audit(0.0:462): avc: denied { signal } for scontext=u:r:shell:s0 tcontext=u:r:perfetto:s0 tclass=process permissive=1 Test: m Test: flash walleye Test: SIGINT perfetto from shell Change-Id: I8d34b447ea90c315faf88f020f1dfc49e4abbcce
2018-12-06 14:28:01 +01:00
# Allow to send SIGINT to perfetto when daemonized.
allow shell perfetto:process signal;
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
Statsd allow shell in selinux policy CTS tests need to be able to call, from hostside: adb shell cmd stats dump-report (and others) On a user build, this will fail because of an selinux policy violation from shell. This cl fixes this by granting shell permission. Similarly, Settings needs to communicate with statsd, so system_app-statsd binder calls are given permission. Bug: 72961153 Bug: 73255014 Test: run cts-dev -m CtsStatsdHostTestCases -t android.cts.statsd.atom.HostAtomTests Test: manual confirmation Change-Id: I6589ab4ef5c91a4a7f78eb97b63d9bb43e3d8f02
2018-02-13 18:33:36 +01:00
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);
Add /data/misc/a11ytrace folder to store accessibility trace files. Bug: 157601519 Test: adb shell cmd accessibility start-trace adb shell cmd accessibility stop-trace Change-Id: Id4224cee800fe3e10f33794c96048366a0bf09bb
2021-02-09 21:03:40 +01:00
# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
userdebug_or_eng(`
allow shell accessibility_trace_data_file:dir rw_dir_perms;
allow shell accessibility_trace_data_file:file { r_file_perms unlink };
')
SELinux policies for Perfetto cmdline client (/system/bin/perfetto) Instead of having statsd linking the perfetto client library and talk directly to its socket, we let just statsd exec() the /system/bin/perfetto cmdline client. There are two reasons for this: 1) Simplify the interaction between statsd and perfetto, reduce dependencies, binary size bloat and isolate faults. 2) The cmdline client also takes care of handing the trace to Dropbox. This allows to expose the binder interaction surface to the short-lived cmdline client and avoid to grant binder access to the perfetto traced daemon. This cmdline client will be used by: - statsd - the shell user (for our UI and Studio) Bug: 70942310 Change-Id: I8cdde181481ad0a1a5cae5937ac446cedac54a1f
2018-01-24 17:07:09 +01:00
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
Allow shell to unlink perfetto_traces_data_file. Bug: 141704436 Test: blueline:/ $ ls -lZa /data/misc/perfetto-traces total 186 drwxrwx-wx 2 root shell u:object_r:perfetto_traces_data_file:s0 3488 2019-09-30 14:12 . drwxrwx--t 46 system misc u:object_r:system_data_file:s0 3488 2019-09-30 14:08 .. -rw------- 1 shell shell u:object_r:perfetto_traces_data_file:s0 180467 2019-09-30 14:12 profile-shell blueline:/ $ rm /data/misc/perfetto-traces/profile-shell rm ro /data/misc/perfetto-traces/profile-shell (y/N):y blueline:/ $ ls -lZa /data/misc/perfetto-traces total 6 drwxrwx-wx 2 root shell u:object_r:perfetto_traces_data_file:s0 3488 2019-09-30 14:13 . drwxrwx--t 46 system misc u:object_r:system_data_file:s0 3488 2019-09-30 14:08 .. blueline:/ $ Change-Id: Ia710068c3cca53a415347fb0a7064740e500d15d
2019-09-30 12:09:45 +02:00
allow shell perfetto_traces_data_file:file { r_file_perms unlink };
Allow shell + priv_app to traverse /data/misc/perfetto-traces This is a follow-up to r.android.com/1542764. 1. In order to allow priv_app to stat(/data/misc/perfetto-traces/bugreport/*) we need also the `search` permission to traverse the parent directory /data/misc/perfetto-traces. 2. Allow shell to read the new bugreport/ directory. shell can read bugreports anyways and this is needed for CTS tests. Bug: 177761174 Bug: 177684571 Test: manual (changpa@) Change-Id: I39d6a1c7941bcdcdc314a7538c0accfd37c52ca2
2021-01-18 10:26:57 +01:00
# ... and /data/misc/perfetto-traces/bugreport/ .
allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
Update SELinux Policy for bufferhubd Create a new service type buffer_hub_binder_service for BufferHubBinderService and allow bufferhubd to publish the service. Add the service to 26.0, 27.0 and 28.0 compat ignore files since the service is not available in past versions. Fixes: 116022258 Test: build passed Change-Id: I5a21f00329ed474433d96c8d1ce32377f20cada3
2018-09-18 02:06:19 +02:00
Create directory for shell<>perfetto interaction Users are unable to pass config files directly to perfetto via `perfetto -c /path/to/config` and have to resort to awkward quirks like `cat config | perfetto -c -'. This is because /system/bin/perfetto runs in its own SELinux domain for reasons explained in the bug. This causes problem to test infrastructures authors. Instead of allowing the use of /data/local/tmp which is too ill-scoped we create a dedicated folder and allow only shell and perfetto to operate on it. Bug: 170404111 Test: manual, see aosp/1459023 Change-Id: I6fefe066f93f1f389c6f45bd18214f8e8b07079e
2020-10-13 22:13:09 +02:00
# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
allow shell perfetto_configs_data_file:dir rw_dir_perms;
allow shell perfetto_configs_data_file:file create_file_perms;
[gpuservice] allow "adb shell cmd gpu vkjson" Also allow adb shell dumpsys gpu to not return error. Bug: 120095213 Test: flash non-eng build and adb shell cmd gpu vkjson Change-Id: Ia4a50a475ce76ec35e082dd52d4a6c80dde7f571
2018-11-28 00:21:43 +01:00
# Allow shell to run adb shell cmd gpu commands.
binder_call(shell, gpuservice);
Add atrace HAL 1.0 sepolicy Bug: 111098596 Test: atrace/systrace (cherry picked from commit 9ed5cf6e430a864630c2451bf35f18ac7668c12b) Change-Id: I97772ff21754d03a0aea0d53b39e8da5312a17c0
2018-09-20 01:06:28 +02:00
# Allow shell to use atrace HAL
hal_client_domain(shell, hal_atrace)
Remove access to /proc/net/{tcp,udp} Remove these files from proc_net_type. Domains that need access must have permission explicitly granted. Neverallow app access except the shell domain. Bug: 114475727 Test: atest CtsLibcoreOjTestCases Test: netstat, lsof Test: adb bugreport Change-Id: I2304e3e98c0d637af78a361569466aa2fbe79fa0
2018-09-28 19:55:14 +02:00
# For hostside tests such as CTS listening ports test.
allow shell proc_net_tcp_udp:file r_file_perms;
Fix dl.exec_linker* tests The dl.exec_linker* tests verify that the linker can invoked on an executable. That feature still works, but not with the default shell user, which is required for the CTS bionic tests. Addresses the following denial: audit(0.0:5493): avc: denied { execute_no_trans } for path="/bionic/bin/linker64" dev="loop3" ino=25 scontext=u:r:shell:s0 tcontext=u:object_r:system_linker_exec:s0 tclass=file permissive=0 Bug: 124789393 Test: compiles Change-Id: I77772b2136fae97174eeba6542906c0802fce990
2019-02-26 00:11:40 +01:00
# The dl.exec_linker* tests need to execute /system/bin/linker
# b/124789393
allow shell system_linker_exec:file rx_file_perms;
allow shell rs_exec:file rx_file_perms Hostside tests depend on being able to execute /system/bin/bcc. Allow it. From bug: In the NDK: $ ./checkbuild.py $ virtualenv -p ../out/bootstrap/bin/python3 env $ source env/bin/activate $ ./run_tests.py --filter rs-cpp-basic FAIL rs-cpp-basic.rstest-compute [armeabi-v7a-19]: android-28 marlin HT67L0200247 QPP1.190205.017 New RS 0xee70f000 Segmentation fault FAIL rs-cpp-basic.rstest-compute [arm64-v8a-21]: android-28 marlin HT67L0200247 QPP1.190205.017 New RS 0x7a91e13000 Segmentation fault 02-23 23:00:45.635 9516 9518 V RenderScript: Successfully loaded runtime: libRSDriver_adreno.so 02-23 23:00:45.650 9518 9518 W rstest-compute: type=1400 audit(0.0:15): avc: denied { read } for name="bcc" dev="dm-0" ino=390 scontext=u:r:shell:s0 tcontext=u:object_r:rs_exec:s0 tclass=file permissive=0 02-23 23:00:45.651 9516 9518 E RenderScript: Cannot open file '/system/bin/bcc' to compute checksum 02-23 23:00:45.652 9516 9516 E rsC++ : Internal error: Object id 0. Test: compiles Fixes: 126388046 Change-Id: I28e591d660c4ba9a33135e940d298d35474ef0b6
2019-02-26 21:30:42 +01:00
# Renderscript host side tests depend on being able to execute
# /system/bin/bcc (b/126388046)
allow shell rs_exec:file rx_file_perms;
Add rules for lpdump and lpdumpd - lpdump is a binary on the device that talks to lpdumpd via binder. - lpdumpd is a daemon on the device that actually reads dynamic partition metadata. Only lpdump can talk to it. Bug: 126233777 Test: boots (sanity) Test: lpdump Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
2019-03-14 23:45:03 +01:00
Allow the `shell` user to run `dex2oat`. This is required for ART's Checker tests, which are part of (host-driven) ART run-tests, and will also be required to run ART run-tests via TradeFed in AOT-compilation modes in the future. Test: Run `atest art-run-test-004-checker-UnsafeTest18` with https://android-review.googlesource.com/c/platform/tools/tradefederation/+/1484277 merged in, on a device where `adb` commands are not run as root Bug: 162408889 Bug: 147812905 Change-Id: I3e4824bf15bdbad1ddf26601f871feec11313ecc
2020-11-02 14:52:54 +01:00
# Allow (host-driven) ART run-tests to execute dex2oat, in order to
# check ART's compiler.
allow shell dex2oat_exec:file rx_file_perms;
/apex/com.android.art/bin/dex2oat is a symlink, so allow reading it from the shell. This fixes a regression from https://r.android.com/1921457, so that dex2oat without a path can still be run from the adb shell. That CL removed the symlink from /system/bin, which means the shell finds it in /apex/com.android.art/bin instead, and hence it needs to be covered by this sepolicy. Test: adb unroot && adb shell dex2oat Bug: 218986148 Bug: 124106384 Change-Id: Ic52b30e0974829b5e5cde5106e6c4eec9f61eec6
2022-04-14 18:42:11 +02:00
allow shell dex2oat_exec:lnk_file read;
Allow the `shell` user to run `dex2oat`. This is required for ART's Checker tests, which are part of (host-driven) ART run-tests, and will also be required to run ART run-tests via TradeFed in AOT-compilation modes in the future. Test: Run `atest art-run-test-004-checker-UnsafeTest18` with https://android-review.googlesource.com/c/platform/tools/tradefederation/+/1484277 merged in, on a device where `adb` commands are not run as root Bug: 162408889 Bug: 147812905 Change-Id: I3e4824bf15bdbad1ddf26601f871feec11313ecc
2020-11-02 14:52:54 +01:00
Add rules for lpdump and lpdumpd - lpdump is a binary on the device that talks to lpdumpd via binder. - lpdumpd is a daemon on the device that actually reads dynamic partition metadata. Only lpdump can talk to it. Bug: 126233777 Test: boots (sanity) Test: lpdump Change-Id: I0e21f35ac136bcbb0603940364e8117f2d6ac438
2019-03-14 23:45:03 +01:00
# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)
Define sepolicy with property for linker To support linker-specific property, sys.linker.* has been defined as linker_prop. This will have get_prop access from domain so all binaries can start with linker using proper property access level. Bug: 138920271 Test: m -j && Confirmed from cuttlefish that get_prop errors are no longer found Change-Id: Iaf584e0cbdd5bca3d5667e93cf9a6401e757a314
2019-08-09 07:20:34 +02:00
Add userspace_reboot_test_prop This property type represents properties used in CTS tests of userspace reboot. For example, test.userspace_reboot.requested property which is used to check that userspace reboot was successful and didn't result in full reboot, e.g.: * before test setprop test.userspace_reboot.requested 1 * adb reboot userspace * wait for boot to complete * verify that value of test.userspace_reboot.requested is still 1 Test: adb shell setprop test.userspace_reboot.requested 1 Bug: 150901232 Change-Id: I45d187f386149cec08318ea8545ab864b5810ca8 Merged-In: I45d187f386149cec08318ea8545ab864b5810ca8 (cherry picked from commit 3bd53a9ceecc37c79090c59776408b3d4733b036)
2020-03-12 15:45:00 +01:00
# Allow shell to set and read value of properties used for CTS tests of
# userspace reboot
set_prop(shell, userspace_reboot_test_prop)
Allow the shell to disable charging. Bug: 204184680 Test: manual and through instrumentation Change-Id: I1fe9b35d51140eccba9c05c956875c512de447b1
2021-11-18 00:48:47 +01:00
# Allow shell to set this property to disable charging.
set_prop(shell, power_debug_prop)
Add persist.rollback.is_test (6/n) This property is set to true in rollback tests to prevent fallback-to-copy when enabling rollbacks by hard linking. This gives us insights into how hard linking fails where it shouldn't. Bug: 168562373 Test: m Change-Id: Iab22954e9b9da21f0c3c26487cda60b8a1293b47
2021-02-24 07:29:06 +01:00
# Allow shell to set this property used for rollback tests
set_prop(shell, rollback_test_prop)
Allow shell to change RKP properties This way, we can change things like the RKP hostname or enablement from the shell for tests. Bug: 265196434 Test: manual (adb shell setprop ...) Change-Id: Ib853eaf29b395705eba57d241df064152220457e
2023-02-24 20:50:51 +01:00
# Allow shell to set RKP properties for testing purposes
set_prop(shell, remote_prov_prop)
Allow shell to get encryption policy for CTS Allow the shell domain to use the FS_IOC_GET_ENCRYPTION_POLICY and FS_IOC_GET_ENCRYPTION_POLICY_EX ioctls so that we can write a CTS test which checks that the device complies with the CDD requirements to use appropriate algorithms for file-based encryption. The information returned by these ioctls is already available in logcat, but scraping the log for a CTS test seems fragile; I assume that people would prefer a more robust solution. For more details see change I9082241066cba82b531e51f9a5aec14526467162 Bug: 111311698 Test: the CTS test works after this change. Change-Id: Ib9ce6b42fcfb6b546eb80a93ae8d17ac5a433984
2019-09-27 22:33:27 +02:00
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
FS_IOC_GET_ENCRYPTION_POLICY
FS_IOC_GET_ENCRYPTION_POLICY_EX
};
perf_event: rules for system and simpleperf domain This patch adds the necessary rules to support the existing usage of perf_event_open by the system partition, which almost exclusively concerns the simpleperf profiler. A new domain is introduced for some (but not all) executions of the system image simpleperf. The following configurations are supported: * shell -> shell process (no domain transition) * shell -> debuggable app (through shell -> runas -> runas_app) * shell -> profileable app (through shell -> simpleperf_app_runner -> untrusted_app -> simpleperf) * debuggable/profile app -> self (through untrusted_app -> simpleperf) simpleperf_app_runner still enters the untrusted_app domain immediately before exec to properly inherit the categories related to MLS. My understanding is that a direct transition would require modifying external/selinux and seapp_contexts as with "fromRunAs", which seems unnecessarily complex for this case. runas_app can still run side-loaded binaries and use perf_event_open, but it checks that the target app is exactly "debuggable" (profileability is insufficient). system-wide profiling is effectively constrained to "su" on debug builds. See go/perf-event-open-security for a more detailed explanation of the scenarios covered here. Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug Tested: manual simpleperf invocations on crosshatch-userdebug Bug: 137092007 Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
2020-01-10 20:02:43 +01:00
# Allow shell to execute simpleperf without a domain transition.
allow shell simpleperf_exec:file rx_file_perms;
Allow shell to read profcollect data files Also guard all profcollect related entries with userdebug/eng only and move them into one place. Test: manual Bug: 183487233 Bug: 194155753 Change-Id: If3399bb78b60f0367267e67573007ed72508279a
2021-07-27 11:06:50 +02:00
userdebug_or_eng(`
# Allow shell to execute profcollectctl without a domain transition.
allow shell profcollectd_exec:file rx_file_perms;
# Allow shell to read profcollectd data files.
r_dir_file(shell, profcollectd_data_file)
# Allow to issue control commands to profcollectd binder service.
allow shell profcollectd:binder call;
')
Policies for profcollectd Bug: 79161490 Test: run profcollect with enforcing Change-Id: I19591dab7c5afb6ace066a3e2607cd290c0f43a6
2020-08-31 19:54:01 +02:00
remount: Allow 'shell' to run 'remount_exec' domain The domain of 'remount' used to be 'system_file', which is read-executable by 'shell'. However when I submitted aosp/1878144, the domain of 'remount' became 'remount_exec', and I forgot to allow 'shell' to read-execute the new 'remount_exec' domain. This makes `adb remount` w/o root to produce sub-par error message: $ adb remount [-h] /system/bin/sh: remount: inaccessible or not found Allow 'shell' to read-execute 'remount_exec', so that the user can get a proper error message when not running as root, and help (-h) message can be displayed: $ adb remount Not running as root. Try "adb root" first. $ adb remount -h Usage: remount ... Bug: 241688845 Test: adb unroot && adb remount [-h] Change-Id: I5c105eaffa7abddaf14a9d0120fd6b71749c7977
2022-11-01 08:08:09 +01:00
# Allow shell to run remount command.
allow shell remount_exec:file rx_file_perms;
perf_event: rules for system and simpleperf domain This patch adds the necessary rules to support the existing usage of perf_event_open by the system partition, which almost exclusively concerns the simpleperf profiler. A new domain is introduced for some (but not all) executions of the system image simpleperf. The following configurations are supported: * shell -> shell process (no domain transition) * shell -> debuggable app (through shell -> runas -> runas_app) * shell -> profileable app (through shell -> simpleperf_app_runner -> untrusted_app -> simpleperf) * debuggable/profile app -> self (through untrusted_app -> simpleperf) simpleperf_app_runner still enters the untrusted_app domain immediately before exec to properly inherit the categories related to MLS. My understanding is that a direct transition would require modifying external/selinux and seapp_contexts as with "fromRunAs", which seems unnecessarily complex for this case. runas_app can still run side-loaded binaries and use perf_event_open, but it checks that the target app is exactly "debuggable" (profileability is insufficient). system-wide profiling is effectively constrained to "su" on debug builds. See go/perf-event-open-security for a more detailed explanation of the scenarios covered here. Tested: "atest CtsSimpleperfTestCases" on crosshatch-user/userdebug Tested: manual simpleperf invocations on crosshatch-userdebug Bug: 137092007 Change-Id: I2100929bae6d81f336f72eff4235fd5a78b94066
2020-01-10 20:02:43 +01:00
# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
allow shell self:perf_event { open read write kernel };
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)
2020-03-04 09:20:35 +01:00
Introduce vendor_microdroid_file for microdroid vendor image In AVF, virtualizationmanager checks the selinux label of given disk image for proving whether the given image is edited maliciously. Existing one(vendor_configs_file, /vendor/etc/*) was too wide to use for this purpose. Bug: 285854379 Test: m Change-Id: I6c966c92b238a2262d2eb7f41041ed4c359e9e0a
2023-11-15 09:59:30 +01:00
# Allow shell to read microdroid vendor image
r_dir_file(shell, vendor_microdroid_file)
Allow shell to read /vendor/apex/* It is used for future xTS tests to read the raw files. Bug: 190858091 Test: m Change-Id: If1c7fd92772ff84d92a95fbee74f6c1f8d1cd365
2021-06-14 01:30:43 +02:00
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
Make *-apex-info-list.xml readable by shell Enables CTS testing of the bootstrap apexes. Bug: 186767843 Test: adb shell cat bootstrap-apex-info-list.xml works without root Change-Id: Icf56d32d296f5a42160dbd9ea90a89c8b4db6aa7
2021-06-07 22:27:52 +02:00
allow shell apex_info_file:file r_file_perms;
Allow shell to read /vendor/apex/* It is used for future xTS tests to read the raw files. Bug: 190858091 Test: m Change-Id: If1c7fd92772ff84d92a95fbee74f6c1f8d1cd365
2021-06-14 01:30:43 +02:00
allow shell vendor_apex_file:file r_file_perms;
allow shell vendor_apex_file:dir r_dir_perms;
Introduce vendor_apex_metadata_file A new label for ./apex_manifest.pb and ./ entries in vendor apexes. This is read-allowed by a few system components which need to read "apex" in general. For example, linkerconfig needs to read apex_manifest.pb from all apexes including vendor apexes. Previously, these entries were labelled as system_file even for vendor apexes. Bug: 285075529 Test: m && launch_cvd Test: atest VendorApexHostTestsCases Change-Id: Icc234bf604e3cafe6da81d21db744abfaa524dcf
2023-05-31 10:51:14 +02:00
allow shell vendor_apex_metadata_file:dir r_dir_perms;
Make *-apex-info-list.xml readable by shell Enables CTS testing of the bootstrap apexes. Bug: 186767843 Test: adb shell cat bootstrap-apex-info-list.xml works without root Change-Id: Icf56d32d296f5a42160dbd9ea90a89c8b4db6aa7
2021-06-07 22:27:52 +02:00
Allow shell to read updated APEXes This is useful for certain tests. Note that it is already possible to access these files without root via adb pull, since adbd has access. Shell also already has access to non-updated APEXes on /system/apex. Bug: 220918654 Test: adb unroot; pm install --apex /data/apex/decompressed/X.decompressed.apex Change-Id: I35725499365b297a64c9005c8e45325531d3991d
2022-02-25 12:59:25 +01:00
# Allow shell to read updated APEXes under /data/apex
allow shell apex_data_file:dir search;
allow shell staging_data_file:file r_file_perms;
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)
2020-03-04 09:20:35 +01:00
# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
set_prop(shell, ctl_dumpstate_prop)
set_prop(shell, dumpstate_prop)
set_prop(shell, exported_dumpstate_prop)
set_prop(shell, debug_prop)
Permit dropping caches from the shell through sys.drop_caches. * Permits setting the sys.drop_caches property from shell. * Permits init to read and write to the drop_caches file. * Can only be set to 3 (drop_caches) and 0 (unset). Bug: 178647679 Test: flashed user build and set property; no avc denials. Test: flashed userdebug build and dropped caches w/o root. Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
2021-02-11 03:45:35 +01:00
set_prop(shell, perf_drop_caches_prop)
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)
2020-03-04 09:20:35 +01:00
set_prop(shell, powerctl_prop)
set_prop(shell, log_tag_prop)
set_prop(shell, wifi_log_prop)
# Allow shell to start/stop traced via the persist.traced.enable
# property (which also takes care of /data/misc initialization).
set_prop(shell, traced_enabled_prop)
Allow shell to set persist.logd.audit.rate This can be useful, for both platform and app developers, when there are lots of SELinux violations. The property is only read by init, so no get_prop macros are needed. Bug: 304313777 Test: set, `for x in $(seq 100); do ls /cache; done`, observe logs Reference: Ib5352dcf3a85836ae5544c9feeb5222c97c50ecd Change-Id: Ib23c008ed89e078a20ae136ba97e853f699e2050
2023-11-10 10:58:01 +01:00
# adjust SELinux audit rates
set_prop(shell, logd_auditrate_prop)
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)
2020-03-04 09:20:35 +01:00
# adjust is_loggable properties
userdebug_or_eng(`set_prop(shell, log_prop)')
# logpersist script
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
# property.
set_prop(shell, heapprofd_enabled_prop)
# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
# property.
set_prop(shell, traced_perf_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
Add sepolicy for starting the snapuserd daemon through init. Restrict access to controlling snapuserd via ctl properties. Allow update_engine to control snapuserd, and connect/write to its socket. update_engine needs this access so it can create the appropriate dm-user device (which sends queries to snapuserd), which is then used to build the update snapshot. This also fixes a bug where /dev/dm-user was not properly labelled. As a result, snapuserd and update_engine have been granted r_dir_perms to dm_user_device. Bug: 168554689 Test: full ota with VABC enabled Change-Id: I1f65ba9f16a83fe3e8ed41a594421939a256aec0
2020-11-13 09:45:59 +01:00
set_prop(shell, ctl_snapuserd_prop)
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)
2020-03-04 09:20:35 +01:00
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
# Allow shell to mock an OTA using persist.pm.mock-upgrade
set_prop(shell, mock_ota_prop)
# Read device's serial number from system properties
get_prop(shell, serialno_prop)
# Allow shell to read the vendor security patch level for CTS
get_prop(shell, vendor_security_patch_level_prop)
# Read state of logging-related properties
get_prop(shell, device_logging_prop)
# Read state of boot reason properties
get_prop(shell, bootloader_boot_reason_prop)
get_prop(shell, last_boot_reason_prop)
get_prop(shell, system_boot_reason_prop)
Allow shell to call IRemotelyProvisionedComponent This change gives the shell process the needed permissions to call the rkp_factory_extraction_tool without also granting the ability to access the KeyMint HAL service. To run the tool from a shell accessible folder, push rkp_factory_extraction_tool to /data/local/tmp with: adb push out/target/product/<path/to/tool>/rkp_factory_extraction_tool \ /data/local/tmp Test: the tool can be executed in SELinux enforcing mode Change-Id: Idebebffa9bb405d527ab37c17030db3999efe3d1
2022-10-07 21:51:15 +02:00
# Allow shell to execute the remote key provisioning factory tool
binder_call(shell, hal_keymint)
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)
2020-03-04 09:20:35 +01:00
# Allow reading the outcome of perf_event_open LSM support test for CTS.
get_prop(shell, init_perf_lsm_hooks_prop)
Add ro.bootimage.* property contexts In addition, allow shell to read this property. Test: getprop -Z Test: cts-tradefed run cts -m CtsGestureTestCases and check /sdcard/device-info-files/PropertyDeviceInfo.deviceinfo.json Bug: 169169031 Change-Id: Ib71b01bac326354696e159129f9dea4c2e918c51
2020-10-07 02:52:17 +02:00
# Allow shell to read boot image timestamps and fingerprints.
get_prop(shell, build_bootimage_prop)
Allow shell to read odsign properties. The shell context can invoke app_process (ART runtime), which in turn reads odsign_prop to determine whether we determined that the generated artifacts are valid. Since this was denied until now, app processes invoked through shell would fall back to JIT Zygote. This is probably fine, but since fixing the denial is really simple (and not risky), this option might be preferred over adding it to the bug map. Bug: 194630189 Test: `adb shell sm` no longer generates a denial Change-Id: Ia7c10aec53731e5fabd05f036b12e10d63878a30
2021-08-05 15:11:04 +02:00
# Allow shell to read odsign verification properties
get_prop(shell, odsign_prop)
Move system property rules to private public/property split is landed to selectively export public types to vendors. So rules happening within system should be in private. This introduces private/property.te and moves all allow and neverallow rules from any coredomains to system defiend properties. Bug: 150331497 Test: system/sepolicy/tools/build_policies.sh Change-Id: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe Merged-In: I0d929024ae9f4ae3830d4bf3d59e999febb22cbe (cherry picked from commit 42c7d8966cc5f76c84c001c5af787cbfade736c8)
2020-03-04 09:20:35 +01:00
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
Update sepolicy for GPU profiling properties. A device must indicate whether GPU profiling is supported or not through setting these two properties properly. CTS needs to read these two properties in order to run corresponding compliance tests. Hence need to update sepolicy for these two properties. Bug: b/157832445 Test: Test on Pixel 4 Change-Id: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3 Merged-In: I6f400ecbbd5e78b645bb620fa24747e9367c2ff3
2020-06-03 21:20:41 +02:00
Add keystore2_key namespace `shell_key` for `shell`. Add a keystore2_key namespace that can be used by `shell` for testing. Bug: 158500146 Bug: 162265751 Test: keystore2_test Change-Id: I78b9b285969dd503a09609f7bcb02552b24d1a6b Merged-In: I78b9b285969dd503a09609f7bcb02552b24d1a6b
2020-07-27 22:07:39 +02:00
# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
allow shell keystore2_key_contexts_file:file r_file_perms;
# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
Move list permission from keystore2_key to keystore class. The list permission protects the ability to list arbitrary namespaces. This is not a namespace specific permission but a Keystore specific permission. Listing the entries of a given namsepace is covered by the get_info permission already. Test: N/A Merged-In: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8 Change-Id: If6e79fd863a79acf8d8ab10c6362a4eeaa88a5b8
2020-09-24 17:55:28 +02:00
allow shell shell_key:keystore2_key { delete rebind use get_info update };
Add contexts for sqlite debug properties These are read by some apps, but don't have any corresponding property contexts. This adds a new context as we're going to remove default_prop access. Bug: 173360450 Test: no sepolicy denials Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
2020-11-17 05:54:52 +01:00
Add rules to cover memfd's for testing. Bug: 193885716 Test: Presubmit passes for CL:1770125 Change-Id: I3a5c6be5e59169df4c5c513626106fb6f350a118
2021-07-19 23:32:41 +02:00
# Allow shell to open and execute memfd files for minijail unit tests.
userdebug_or_eng(`
allow shell appdomain_tmpfs:file { open execute_no_trans };
')
Add contexts for sqlite debug properties These are read by some apps, but don't have any corresponding property contexts. This adds a new context as we're going to remove default_prop access. Bug: 173360450 Test: no sepolicy denials Change-Id: I9be28d8e641eb6380d080150bee785a3cc304ef4
2020-11-17 05:54:52 +01:00
# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
set_prop(shell, sqlite_log_prop)
[MTE] Add memtag sysprop sepolicy. These flags should be writeable to the shell for both root and non-root users. They should be readable everywhere, as they're read in libc during initialization (and there's nothing secret to hide). We just don't want to allow apps to set these properties. These properties are non-persistent, are for local developer debugging only. Bug: 135772972 Bug: 172365548 Test: `adb shell setprop memtag.123 0` in non-root shell succeeds. Change-Id: If9ad7123829b0be27c29050f10081d2aecdef670
2020-12-04 02:23:06 +01:00
# Allow shell to write MTE properties even on user builds.
set_prop(shell, arm64_memtag_prop)
Allow permissive MTE to be set by non-root users Found when making the tests for permissive MTE, which are part of the CTS test suite because I really, really don't want to fork hundreds of lines of Java glue. But, CTS tests aren't supposed to only run on rooted devices (even though there's examples of this in the tree already). I think either way, ideologically, we should allow non-root users to enable permissive MTE. This would be useful for a person who wants to dogfood MTE with all apps on, but use a retail build. I can think of at least a few researchers that would probably find this useful. Bug: 328793166 Test: adb unroot && adb shell setprop persist.sys.mte.permissive 1 Change-Id: Ie905e23c9600986cb436e1cc7490e28678710696
2024-03-15 16:26:31 +01:00
set_prop(shell, permissive_mte_prop)
Set context for hash algorithm properties. Also move verity_status_prop to system_restricted_prop since we need to query it in cts tests Bug: 175236047 Test: atest CtsNativeVerifiedBootTestCases Change-Id: I82b26edaf5c5ad233bd83dff77eaafb9174646ef
2021-01-20 08:02:51 +01:00
kcmdlinectrl: define system property for kcmdlinectrl This defines the kcmdline_prop context for properties controlled by kcmdlinectrl, and defines a property called kcmdline.binder for switching between the Rust and C implementations of the Binder driver. It is intended that additional kcmdline properties introduced in the future would share the same kcmdline_prop context. Test: Verified that setprop/getprop work and that the value is loaded properly at boot Bug: 326222756 Change-Id: Iea362df98d729ee110b6058c6e5fa6b6ace03d8e
2024-02-21 16:18:14 +01:00
# Allow shell to write kcmdline properties even on user builds.
set_prop(shell, kcmdline_prop)
Set context for hash algorithm properties. Also move verity_status_prop to system_restricted_prop since we need to query it in cts tests Bug: 175236047 Test: atest CtsNativeVerifiedBootTestCases Change-Id: I82b26edaf5c5ad233bd83dff77eaafb9174646ef
2021-01-20 08:02:51 +01:00
# Allow shell to read the dm-verity props on user builds.
get_prop(shell, verity_status_prop)
Allow shell to read VAB props. Bug: 179427873 Test: adb unroot and read the prop Change-Id: Ib480903afae2e7180a59f8834dd7c54062acd947
2021-02-17 21:06:12 +01:00
# Allow shell to read Virtual A/B related properties
get_prop(shell, virtual_ab_prop)
Permit dropping caches from the shell through sys.drop_caches. * Permits setting the sys.drop_caches property from shell. * Permits init to read and write to the drop_caches file. * Can only be set to 3 (drop_caches) and 0 (unset). Bug: 178647679 Test: flashed user build and set property; no avc denials. Test: flashed userdebug build and dropped caches w/o root. Change-Id: Idcedf83f14f6299fab383f042829d8d548fb4f5d
2021-02-11 03:45:35 +01:00
Allow shell to read default fstab CTS module CtsFsMgrTestCases (gtest) needs to read fstab. Fixes: 184850580 Test: CtsFsMgrTestCases on user build Change-Id: I0f04bb021d8732a1c5f987ba2984da2c98f40653
2021-04-09 07:39:20 +02:00
# Allow ReadDefaultFstab() for CTS.
read_fstab(shell)
Give adbd and shell read access to /apex/apex-info-list.xml /apex/apex-info-list.xml is used by ART mainline module, hence it needs to have CTS test for it. Giving adbd and shell read-only permission allows us to write host-driven CTS test that pull /apex/apex-info-list.xml from the device and inspects it's content. Similar (albeit not exactly the same information) is already available via PackageManager APIs/PackageManager shell command. Bug: 190185664 Test: m Test: adb shell cat /apex/apex-info-list.xml Change-Id: Ib7f2ca79a7493f8cd40d0c419569e85135f6bbda
2021-06-10 16:37:25 +02:00
# Allow shell read access to /apex/apex-info-list.xml for CTS.
allow shell apex_info_file:file r_file_perms;
Allow virtualizationservice to use vsock ... to connect to the programs running in the guest VM Bug: 192904048 Test: atest MicrodroidHostTestCases Change-Id: Iccb48c14ace11cc940bb9ab1e07cc4926182e06e
2021-07-10 07:35:06 +02:00
SEPolicy for compos_verify_key. Remove some allow rules for odsign, since it no longer directly modifies CompOs files. Instead allow it to run compos_verify_key in its own domain. Grant compos_verify_key what it needs to access the CompOs files and start up the VM. Currently we directly connect to the CompOs VM; that will change once some in-flight CLs have landed. As part of this I moved the virtualizationservice_use macro to te_macros so I can use it here. I also expanded it to include additional grants needed by any VM client that were previously done for individual domains (and then deleted those rules as now redundant). I also removed the grant of VM access to all apps; instead we allow it for untrusted apps, on userdebug or eng builds only. (Temporarily at least.) Bug: 193603140 Test: Manual - odsign successfully runs the VM at boot when needed. Change-Id: I62f9ad8c7ea2fb9ef2d468331e26822d08e3c828
2021-09-02 12:10:59 +02:00
# Let the shell user call virtualizationservice (and
# virtualizationservice call back to shell) for debugging.
virtualizationservice_use(shell)
Add a persist.wm.debug property type and associated permissions This is intended for wm properties related to wmshell/sysui. Using this context allows sysui to manipulate these properties in debug builds. Bug: 219067621 Test: manual Change-Id: I5808bf92dbba37e9e6da5559f8e0a5fdac016bf3
2022-03-02 23:13:58 +01:00
# Allow shell to set persist.wm.debug properties
userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
[GWP-ASan] Add sysprop, allow shell and system apps to set it. Bug: 219651032 Test: atest bionic-unit-tests Change-Id: Ic4804ce0e4f3b6ba8eb8d82aca11b400b45c03dc
2022-03-22 23:59:57 +01:00
# Allow shell to write GWP-ASan properties even on user builds.
set_prop(shell, gwp_asan_prop)
Add persist.sysui.notification.builder_extras_ovrd Adds persist.sysui.notification.builder_extras_override property and associated permissions, which will be used to flag guard a change in core/...Notification.java. Permissions are limited in scope to avoid unnecessary access. Apps may need to read the flag (because Notification.java is a core library), but setting should only be possible internally (and via debug shell). Test: manual flash+adb setprop/getprop Bug: 169435530 Change-Id: I3f7e2220798d22c90f4326570732a52b0deeb54d
2023-03-23 03:19:22 +01:00
# Allow shell to set persist.sysui.notification.builder_extras_override property
userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
persist.sysui.notification.ranking_update_ashmem Adds persist.syui.notification.ranking_update_ashmem property and associated permissions, which will be used to flag guard a change in core/...NotificationRankingUpdate.java. Permissions are limited in scope to avoid unnecessary access. Apps may need to read the flag (because NotificationRankingUpdate.java is a core library), but setting should only be possible internally (and via debug shell). Test: manual flash+adb setprop/getprop Bug: 249848655 Change-Id: I661644893714661d8c8b5553c943fa17d08c000c
2023-05-31 23:25:50 +02:00
# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
Add persist.sysui.notification.builder_extras_ovrd Adds persist.sysui.notification.builder_extras_override property and associated permissions, which will be used to flag guard a change in core/...Notification.java. Permissions are limited in scope to avoid unnecessary access. Apps may need to read the flag (because Notification.java is a core library), but setting should only be possible internally (and via debug shell). Test: manual flash+adb setprop/getprop Bug: 169435530 Change-Id: I3f7e2220798d22c90f4326570732a52b0deeb54d
2023-03-23 03:19:22 +01:00
Allow shell access to attestation properties The properties for attestation are congifured in build.prop files and used by frameworks Build.java. Allow app to access them from 'adb shell am' Bug: 296168846 Test: m selinux_policy Change-Id: Ie749cf5d621c03c21aa538f96a06d21680a61569
2023-09-12 05:24:05 +02:00
# Allow shell to read the build properties for attestation feature
get_prop(shell, build_attestation_prop)
Revert^2 "Update uprobestats SELinux policy" This reverts commit 5e1d7f1c85d84a73fa05c8813a72d9bc19121a20. Reason for revert: retry with a fix to the failed tests Test: atest art_standalone_oatdump_tests Change-Id: I28872c643ba4ec07ef41b1f9be86036c592a6e4e
2023-12-15 01:48:23 +01:00
# Allow shell to execute oatdump.
allow shell oatdump_exec:file rx_file_perms;
update aconfigd selinux policy For aconfigd test, for atest to work, the shell domain needs to be able to connect to aconfigd_socket. In addition, aconfigd needs to be able to access the test storage files as shell_data_file. All these policies are only needed for userdebug_or_eng build. Bug: 312459182 Test: m, launch avd, atest, then audit2allow, no avc denials found Change-Id: Ifb369f7e0000dfe35305fe976e330fa516ff440c
2024-03-19 03:33:00 +01:00
# Allow shell access to socket for test
userdebug_or_eng(`
allow shell aconfigd_socket:sock_file write;
allow shell aconfigd:unix_stream_socket connectto;
')
Minimize public policy Ideally, public should only contain APIs (types / attributes) for vendor. The other statements like allow/neverallow/typeattributes are regarded as implementation detail for platform and should be in private. Bug: 232023812 Test: m selinux_policy Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \ <(git diff --staged | grep "^+" | cut -b2- | sort) Test: remove comments on plat_sepolicy.cil, replace base_typeattr_* to base_typeattr and then compare old and new plat_sepolicy.cil Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
2024-03-27 09:18:41 +01:00
# Create and use network sockets.
net_domain(shell)
# logcat
read_logd(shell)
control_logd(shell)
get_prop(shell, logd_prop)
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;
# Root fs.
allow shell rootfs:dir r_dir_perms;
# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
allow shell anr_data_file:file r_file_perms;
# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
# Access /data/local/tests.
allow shell shell_test_data_file:dir create_dir_perms;
allow shell shell_test_data_file:file create_file_perms;
allow shell shell_test_data_file:file rx_file_perms;
allow shell shell_test_data_file:lnk_file create_file_perms;
allow shell shell_test_data_file:sock_file create_file_perms;
# Read and delete from /data/local/traces.
allow shell trace_data_file:file { r_file_perms unlink };
allow shell trace_data_file:dir { r_dir_perms remove_name write };
# Access /data/misc/profman.
allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
allow shell profman_dump_data_file:file { unlink r_file_perms };
# Read/execute files in /data/nativetest
userdebug_or_eng(`
allow shell nativetest_data_file:dir r_dir_perms;
allow shell nativetest_data_file:file rx_file_perms;
')
# adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate)
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
allow shell input_device:dir r_dir_perms;
allow shell input_device:chr_file r_file_perms;
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;
allow shell boottrace_data_file:file create_file_perms;
')
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
allow shell {
service_manager_type
-apex_service
-dnsresolver_service
-gatekeeper_service
-hal_keymint_service
-hal_secureclock_service
-hal_sharedsecret_service
-incident_service
-installd_service
-mdns_service
-netd_service
-system_suspend_control_internal_service
-system_suspend_control_service
-virtual_touchpad_service
-vold_service
-default_android_service
}:service_manager find;
allow shell dumpstate:binder call;
# allow shell to get information from hwservicemanager
# for instance, listing hardware services with lshal
hwbinder_use(shell)
allow shell hwservicemanager:hwservice_manager list;
# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
r_dir_file(shell, proc_net_type)
allow shell {
proc_asound
proc_filesystems
proc_interrupts
proc_loadavg # b/124024827
proc_meminfo
proc_modules
proc_pid_max
proc_slabinfo
proc_stat
proc_timer
proc_uptime
proc_version
proc_vmstat
proc_zoneinfo
}:file r_file_perms;
# allow listing network interfaces under /sys/class/net.
allow shell sysfs_net:dir r_dir_perms;
r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
allow shell vendor_cgroup_desc_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
# statvfs() of /proc and other labeled filesystems
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
allow shell { proc labeledfs }:filesystem getattr;
# stat() of /dev
allow shell device:dir getattr;
# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;
# Allow pulling the SELinux policy for CTS purposes
allow shell selinuxfs:dir r_dir_perms;
allow shell selinuxfs:file r_file_perms;
# enable shell domain to read/write files/dirs for bootchart data
# User will creates the start and stop file via adb shell
# and read other files created by init process under /data/bootchart
allow shell bootchart_data_file:dir rw_dir_perms;
allow shell bootchart_data_file:file create_file_perms;
# Make sure strace works for the non-privileged shell user
allow shell self:process ptrace;
# allow shell to get battery info
allow shell sysfs:dir r_dir_perms;
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
#
# filesystem test for insecure chr_file's is done
# via a host side test
#
allow shell dev_type:dir r_dir_perms;
allow shell dev_type:chr_file getattr;
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
#
# filesystem test for insucre blk_file's is done
# via hostside test
#
allow shell dev_type:blk_file getattr;
# read selinux policy files
allow shell file_contexts_file:file r_file_perms;
allow shell property_contexts_file:file r_file_perms;
allow shell seapp_contexts_file:file r_file_perms;
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;
# Allow shell to start up vendor shell
allow shell vendor_shell_exec:file rx_file_perms;
# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
recovery_only(`
allow shell rootfs:file rx_file_perms;
')
###
### Neverallow rules
###
# Do not allow shell to talk directly to security HAL services other than
# hal_remotelyprovisionedcomponent_service
neverallow shell {
hal_keymint_service
hal_secureclock_service
hal_sharedsecret_service
}:service_manager find;
# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure the shell user never has this
# capability.
neverallow shell file_type:file link;
# Do not allow privileged socket ioctl commands
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
# limit shell access to sensitive char drivers to
# only getattr required for host side test.
neverallow shell {
fuse_device
hw_random_device
port_device
}:chr_file ~getattr;
# Limit shell to only getattr on blk devices for host side tests.
neverallow shell dev_type:blk_file ~getattr;
# b/30861057: Shell access to existing input devices is an abuse
# vector. The shell user can inject events that look like they
# originate from the touchscreen etc.
# Everyone should have already moved to UiAutomation#injectInputEvent
# if they are running instrumentation tests (i.e. CTS), Monkey for
# their stress tests, and the input command (adb shell input ...) for
# injecting swipes and things.
neverallow shell input_device:chr_file no_w_file_perms;
neverallow shell self:perf_event ~{ open read write kernel };
# Never allow others to set or get the perf.drop_caches property.
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
Reference in a new issue Copy permalink