2014-02-21 19:45:29 +01:00
|
|
|
# Domain for shell processes spawned by ADB or console service.
|
2015-11-28 04:18:17 +01:00
|
|
|
type shell, domain, mlstrustedsubject;
|
2018-09-27 19:21:37 +02:00
|
|
|
type shell_exec, system_file_type, exec_type, file_type;
|
2012-01-04 18:33:27 +01:00
|
|
|
|
2014-01-07 18:47:10 +01:00
|
|
|
# Create and use network sockets.
|
|
|
|
net_domain(shell)
|
|
|
|
|
2014-12-15 21:01:35 +01:00
|
|
|
# logcat
|
2014-03-17 21:00:38 +01:00
|
|
|
read_logd(shell)
|
|
|
|
control_logd(shell)
|
2014-12-15 21:01:35 +01:00
|
|
|
# logcat -L (directly, or via dumpstate)
|
|
|
|
allow shell pstorefs:dir search;
|
|
|
|
allow shell pstorefs:file r_file_perms;
|
2014-03-17 21:00:38 +01:00
|
|
|
|
2015-12-02 01:28:28 +01:00
|
|
|
# Root fs.
|
|
|
|
allow shell rootfs:dir r_dir_perms;
|
|
|
|
|
2014-06-05 22:27:44 +02:00
|
|
|
# read files in /data/anr
|
|
|
|
allow shell anr_data_file:dir r_dir_perms;
|
|
|
|
allow shell anr_data_file:file r_file_perms;
|
|
|
|
|
2014-06-11 13:10:09 +02:00
|
|
|
# Access /data/local/tmp.
|
|
|
|
allow shell shell_data_file:dir create_dir_perms;
|
|
|
|
allow shell shell_data_file:file create_file_perms;
|
|
|
|
allow shell shell_data_file:file rx_file_perms;
|
2014-12-10 08:49:31 +01:00
|
|
|
allow shell shell_data_file:lnk_file create_file_perms;
|
2014-06-11 13:10:09 +02:00
|
|
|
|
2018-01-16 01:44:04 +01:00
|
|
|
# Read and delete from /data/local/traces.
|
|
|
|
allow shell trace_data_file:file { r_file_perms unlink };
|
|
|
|
allow shell trace_data_file:dir { r_dir_perms remove_name write };
|
|
|
|
|
2016-05-27 21:41:35 +02:00
|
|
|
# Access /data/misc/profman.
|
2018-05-05 02:44:33 +02:00
|
|
|
allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
|
|
|
|
allow shell profman_dump_data_file:file { unlink r_file_perms };
|
2016-05-27 21:41:35 +02:00
|
|
|
|
2015-10-29 00:45:58 +01:00
|
|
|
# Read/execute files in /data/nativetest
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow shell nativetest_data_file:dir r_dir_perms;
|
|
|
|
allow shell nativetest_data_file:file rx_file_perms;
|
|
|
|
')
|
|
|
|
|
2014-06-11 13:10:09 +02:00
|
|
|
# adb bugreport
|
|
|
|
unix_socket_connect(shell, dumpstate, dumpstate)
|
|
|
|
|
|
|
|
allow shell devpts:chr_file rw_file_perms;
|
|
|
|
allow shell tty_device:chr_file rw_file_perms;
|
|
|
|
allow shell console_device:chr_file rw_file_perms;
|
2018-08-24 20:57:49 +02:00
|
|
|
|
2014-06-11 18:09:15 +02:00
|
|
|
allow shell input_device:dir r_dir_perms;
|
2018-08-28 18:12:28 +02:00
|
|
|
allow shell input_device:chr_file r_file_perms;
|
2018-08-24 20:57:49 +02:00
|
|
|
|
2015-12-04 18:05:02 +01:00
|
|
|
r_dir_file(shell, system_file)
|
2014-06-11 13:10:09 +02:00
|
|
|
allow shell system_file:file x_file_perms;
|
2015-08-25 17:38:29 +02:00
|
|
|
allow shell toolbox_exec:file rx_file_perms;
|
2017-02-24 20:03:58 +01:00
|
|
|
allow shell tzdatacheck_exec:file rx_file_perms;
|
2014-06-11 13:10:09 +02:00
|
|
|
allow shell shell_exec:file rx_file_perms;
|
|
|
|
allow shell zygote_exec:file rx_file_perms;
|
|
|
|
|
|
|
|
r_dir_file(shell, apk_data_file)
|
|
|
|
|
|
|
|
# Set properties.
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(shell, shell_prop)
|
2015-12-02 03:03:05 +01:00
|
|
|
set_prop(shell, ctl_bugreport_prop)
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(shell, ctl_dumpstate_prop)
|
2015-12-02 03:03:05 +01:00
|
|
|
set_prop(shell, dumpstate_prop)
|
2017-10-19 09:54:49 +02:00
|
|
|
set_prop(shell, exported_dumpstate_prop)
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(shell, debug_prop)
|
|
|
|
set_prop(shell, powerctl_prop)
|
2016-06-01 20:14:14 +02:00
|
|
|
set_prop(shell, log_tag_prop)
|
|
|
|
set_prop(shell, wifi_log_prop)
|
2018-04-20 20:09:45 +02:00
|
|
|
# Allow shell to start/stop traced via the persist.traced.enable
|
|
|
|
# property (which also takes care of /data/misc initialization).
|
|
|
|
set_prop(shell, traced_enabled_prop)
|
2016-08-10 20:10:02 +02:00
|
|
|
# adjust is_loggable properties
|
2016-04-15 20:10:06 +02:00
|
|
|
userdebug_or_eng(`set_prop(shell, log_prop)')
|
2016-08-10 20:10:02 +02:00
|
|
|
# logpersist script
|
2016-06-06 21:18:46 +02:00
|
|
|
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
|
2018-12-10 17:20:20 +01:00
|
|
|
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
|
|
|
|
# property.
|
|
|
|
set_prop(shell, heapprofd_enabled_prop)
|
2014-06-11 13:10:09 +02:00
|
|
|
|
2015-06-24 08:24:17 +02:00
|
|
|
userdebug_or_eng(`
|
|
|
|
# "systrace --boot" support - allow boottrace service to run
|
|
|
|
allow shell boottrace_data_file:dir rw_dir_perms;
|
|
|
|
allow shell boottrace_data_file:file create_file_perms;
|
|
|
|
set_prop(shell, persist_debug_prop)
|
|
|
|
')
|
2014-06-11 13:10:09 +02:00
|
|
|
|
2016-12-29 02:44:33 +01:00
|
|
|
# Read device's serial number from system properties
|
|
|
|
get_prop(shell, serialno_prop)
|
|
|
|
|
2018-03-30 03:21:31 +02:00
|
|
|
# Allow shell to read the vendor security patch level for CTS
|
|
|
|
get_prop(shell, vendor_security_patch_level_prop)
|
|
|
|
|
2017-04-20 19:02:50 +02:00
|
|
|
# Read state of logging-related properties
|
|
|
|
get_prop(shell, device_logging_prop)
|
|
|
|
|
2017-08-14 23:25:10 +02:00
|
|
|
# Read state of boot reason properties
|
|
|
|
get_prop(shell, bootloader_boot_reason_prop)
|
|
|
|
get_prop(shell, last_boot_reason_prop)
|
|
|
|
get_prop(shell, system_boot_reason_prop)
|
|
|
|
|
2015-01-24 00:55:42 +01:00
|
|
|
# allow shell access to services
|
2014-12-31 00:21:50 +01:00
|
|
|
allow shell servicemanager:service_manager list;
|
2015-04-04 01:46:33 +02:00
|
|
|
# don't allow shell to access GateKeeper service
|
2016-10-29 00:52:15 +02:00
|
|
|
# TODO: why is this so broad? Tightening candidate? It needs at list:
|
|
|
|
# - dumpstate_service (so it can receive dumpstate progress updates)
|
2017-09-26 21:58:29 +02:00
|
|
|
allow shell {
|
|
|
|
service_manager_type
|
2018-08-17 09:35:42 +02:00
|
|
|
-apex_service
|
2017-09-26 21:58:29 +02:00
|
|
|
-gatekeeper_service
|
|
|
|
-incident_service
|
|
|
|
-installd_service
|
2018-10-05 23:48:29 +02:00
|
|
|
-iorapd_service
|
2017-09-26 21:58:29 +02:00
|
|
|
-netd_service
|
|
|
|
-virtual_touchpad_service
|
|
|
|
-vold_service
|
|
|
|
-vr_hwc_service
|
|
|
|
}:service_manager find;
|
2016-10-29 00:52:15 +02:00
|
|
|
allow shell dumpstate:binder call;
|
2015-01-16 22:39:59 +01:00
|
|
|
|
2017-01-21 00:19:32 +01:00
|
|
|
# allow shell to get information from hwservicemanager
|
2017-02-14 00:42:42 +01:00
|
|
|
# for instance, listing hardware services with lshal
|
2017-01-21 00:19:32 +01:00
|
|
|
hwbinder_use(shell)
|
2017-04-08 01:14:43 +02:00
|
|
|
allow shell hwservicemanager:hwservice_manager list;
|
2017-01-21 00:19:32 +01:00
|
|
|
|
2017-10-20 21:38:17 +02:00
|
|
|
# allow shell to look through /proc/ for lsmod, ps, top, netstat.
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
|
|
|
r_dir_file(shell, proc_net_type)
|
2017-11-13 18:50:03 +01:00
|
|
|
|
|
|
|
allow shell {
|
|
|
|
proc_asound
|
|
|
|
proc_filesystems
|
|
|
|
proc_interrupts
|
2019-02-20 22:33:03 +01:00
|
|
|
proc_loadavg # b/124024827
|
2017-11-13 18:50:03 +01:00
|
|
|
proc_meminfo
|
|
|
|
proc_modules
|
2017-11-28 17:42:40 +01:00
|
|
|
proc_pid_max
|
2018-06-14 16:34:19 +02:00
|
|
|
proc_slabinfo
|
2017-11-13 18:50:03 +01:00
|
|
|
proc_stat
|
|
|
|
proc_timer
|
|
|
|
proc_uptime
|
|
|
|
proc_version
|
|
|
|
proc_zoneinfo
|
|
|
|
}:file r_file_perms;
|
|
|
|
|
2017-12-12 18:34:13 +01:00
|
|
|
# allow listing network interfaces under /sys/class/net.
|
|
|
|
allow shell sysfs_net:dir r_dir_perms;
|
|
|
|
|
2015-11-28 04:18:17 +01:00
|
|
|
r_dir_file(shell, cgroup)
|
2015-01-16 22:39:59 +01:00
|
|
|
allow shell domain:dir { search open read getattr };
|
|
|
|
allow shell domain:{ file lnk_file } { open read getattr };
|
2014-12-05 06:40:22 +01:00
|
|
|
|
2015-12-23 01:41:27 +01:00
|
|
|
# statvfs() of /proc and other labeled filesystems
|
2018-06-13 17:02:29 +02:00
|
|
|
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
|
2015-12-23 01:41:27 +01:00
|
|
|
allow shell { proc labeledfs }:filesystem getattr;
|
|
|
|
|
|
|
|
# stat() of /dev
|
|
|
|
allow shell device:dir getattr;
|
|
|
|
|
2015-03-16 16:43:22 +01:00
|
|
|
# allow shell to read /proc/pid/attr/current for ps -Z
|
|
|
|
allow shell domain:process getattr;
|
|
|
|
|
2015-12-03 22:28:14 +01:00
|
|
|
# Allow pulling the SELinux policy for CTS purposes
|
|
|
|
allow shell selinuxfs:dir r_dir_perms;
|
|
|
|
allow shell selinuxfs:file r_file_perms;
|
|
|
|
|
2014-12-05 06:40:22 +01:00
|
|
|
# enable shell domain to read/write files/dirs for bootchart data
|
|
|
|
# User will creates the start and stop file via adb shell
|
|
|
|
# and read other files created by init process under /data/bootchart
|
|
|
|
allow shell bootchart_data_file:dir rw_dir_perms;
|
|
|
|
allow shell bootchart_data_file:file create_file_perms;
|
2015-04-16 17:43:10 +02:00
|
|
|
|
2015-10-15 22:35:01 +02:00
|
|
|
# Make sure strace works for the non-privileged shell user
|
|
|
|
allow shell self:process ptrace;
|
|
|
|
|
2016-01-05 23:32:54 +01:00
|
|
|
# allow shell to get battery info
|
2016-01-13 18:02:36 +01:00
|
|
|
allow shell sysfs:dir r_dir_perms;
|
2017-10-13 19:26:44 +02:00
|
|
|
allow shell sysfs_batteryinfo:dir r_dir_perms;
|
|
|
|
allow shell sysfs_batteryinfo:file r_file_perms;
|
2015-12-22 18:40:03 +01:00
|
|
|
|
|
|
|
# Allow access to ion memory allocation device.
|
|
|
|
allow shell ion_device:chr_file rw_file_perms;
|
|
|
|
|
2016-03-24 01:26:42 +01:00
|
|
|
#
|
|
|
|
# filesystem test for insecure chr_file's is done
|
|
|
|
# via a host side test
|
|
|
|
#
|
|
|
|
allow shell dev_type:dir r_dir_perms;
|
|
|
|
allow shell dev_type:chr_file getattr;
|
|
|
|
|
|
|
|
# /dev/fd is a symlink
|
|
|
|
allow shell proc:lnk_file getattr;
|
|
|
|
|
2016-04-05 17:19:27 +02:00
|
|
|
#
|
|
|
|
# filesystem test for insucre blk_file's is done
|
|
|
|
# via hostside test
|
|
|
|
#
|
|
|
|
allow shell dev_type:blk_file getattr;
|
2016-04-28 22:54:48 +02:00
|
|
|
|
2017-04-04 01:31:09 +02:00
|
|
|
# read selinux policy files
|
|
|
|
allow shell file_contexts_file:file r_file_perms;
|
|
|
|
allow shell property_contexts_file:file r_file_perms;
|
|
|
|
allow shell seapp_contexts_file:file r_file_perms;
|
|
|
|
allow shell service_contexts_file:file r_file_perms;
|
|
|
|
allow shell sepolicy_file:file r_file_perms;
|
|
|
|
|
2018-01-11 20:01:30 +01:00
|
|
|
# Allow shell to start up vendor shell
|
|
|
|
allow shell vendor_shell_exec:file rx_file_perms;
|
|
|
|
|
2018-06-01 05:31:33 +02:00
|
|
|
# Everything is labeled as rootfs in recovery mode. Allow shell to
|
|
|
|
# execute them.
|
|
|
|
recovery_only(`
|
|
|
|
allow shell rootfs:file rx_file_perms;
|
|
|
|
')
|
|
|
|
|
2015-12-22 18:40:03 +01:00
|
|
|
###
|
|
|
|
### Neverallow rules
|
|
|
|
###
|
|
|
|
|
2015-04-16 17:43:10 +02:00
|
|
|
# Do not allow shell to hard link to any files.
|
|
|
|
# In particular, if shell hard links to app data
|
|
|
|
# files, installd will not be able to guarantee the deletion
|
|
|
|
# of the linked to file. Hard links also contribute to security
|
|
|
|
# bugs, so we want to ensure the shell user never has this
|
|
|
|
# capability.
|
|
|
|
neverallow shell file_type:file link;
|
2016-01-05 16:42:16 +01:00
|
|
|
|
|
|
|
# Do not allow privileged socket ioctl commands
|
2016-01-05 18:36:12 +01:00
|
|
|
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
2016-04-28 22:54:48 +02:00
|
|
|
|
2016-03-24 01:26:42 +01:00
|
|
|
# limit shell access to sensitive char drivers to
|
|
|
|
# only getattr required for host side test.
|
|
|
|
neverallow shell {
|
|
|
|
fuse_device
|
|
|
|
hw_random_device
|
2016-12-05 00:11:29 +01:00
|
|
|
port_device
|
2016-03-24 01:26:42 +01:00
|
|
|
}:chr_file ~getattr;
|
2016-04-05 17:19:27 +02:00
|
|
|
|
|
|
|
# Limit shell to only getattr on blk devices for host side tests.
|
|
|
|
neverallow shell dev_type:blk_file ~getattr;
|
2018-08-28 18:12:28 +02:00
|
|
|
|
|
|
|
# b/30861057: Shell access to existing input devices is an abuse
|
|
|
|
# vector. The shell user can inject events that look like they
|
|
|
|
# originate from the touchscreen etc.
|
|
|
|
# Everyone should have already moved to UiAutomation#injectInputEvent
|
|
|
|
# if they are running instrumentation tests (i.e. CTS), Monkey for
|
|
|
|
# their stress tests, and the input command (adb shell input ...) for
|
|
|
|
# injecting swipes and things.
|
|
|
|
neverallow shell input_device:chr_file no_w_file_perms;
|