2020-02-11 15:43:05 +01:00
|
|
|
typeattribute shell coredomain, mlstrustedsubject;
|
2017-03-23 22:27:32 +01:00
|
|
|
|
2017-05-11 04:37:06 +02:00
|
|
|
# allow shell input injection
|
|
|
|
allow shell uhid_device:chr_file rw_file_perms;
|
|
|
|
|
2016-10-12 23:58:09 +02:00
|
|
|
# systrace support - allow atrace to run
|
2018-01-31 03:14:45 +01:00
|
|
|
allow shell debugfs_tracing_debug:dir r_dir_perms;
|
2016-10-12 23:58:09 +02:00
|
|
|
allow shell debugfs_tracing:dir r_dir_perms;
|
2017-07-27 01:22:50 +02:00
|
|
|
allow shell debugfs_tracing:file rw_file_perms;
|
2016-10-12 23:58:09 +02:00
|
|
|
allow shell debugfs_trace_marker:file getattr;
|
|
|
|
allow shell atrace_exec:file rx_file_perms;
|
|
|
|
|
2017-04-14 21:12:50 +02:00
|
|
|
userdebug_or_eng(`
|
2017-07-27 18:50:25 +02:00
|
|
|
allow shell debugfs_tracing_debug:file rw_file_perms;
|
2017-04-14 21:12:50 +02:00
|
|
|
')
|
|
|
|
|
2018-01-31 03:14:45 +01:00
|
|
|
# read config.gz for CTS purposes
|
|
|
|
allow shell config_gz:file r_file_perms;
|
|
|
|
|
2024-02-14 19:54:58 +01:00
|
|
|
# allow reading tombstones. users can already use bugreports to get those.
|
|
|
|
allow shell tombstone_data_file:dir r_dir_perms;
|
|
|
|
allow shell tombstone_data_file:file r_file_perms;
|
|
|
|
|
2016-12-08 20:23:34 +01:00
|
|
|
# Run app_process.
|
|
|
|
# XXX Transition into its own domain?
|
|
|
|
app_domain(shell)
|
2017-03-23 20:28:20 +01:00
|
|
|
|
|
|
|
# allow shell to call dumpsys storaged
|
|
|
|
binder_call(shell, storaged)
|
2017-05-08 18:51:59 +02:00
|
|
|
|
|
|
|
# Perform SELinux access checks, needed for CTS
|
|
|
|
selinux_check_access(shell)
|
|
|
|
selinux_check_context(shell)
|
2017-12-21 03:51:15 +01:00
|
|
|
|
|
|
|
# Control Perfetto traced and obtain traces from it.
|
|
|
|
# Needed for Studio and debugging.
|
|
|
|
unix_socket_connect(shell, traced_consumer, traced)
|
|
|
|
|
|
|
|
# Allow shell binaries to write trace data to Perfetto. Used for testing and
|
|
|
|
# cmdline utils.
|
2019-10-08 17:15:14 +02:00
|
|
|
perfetto_producer(shell)
|
2018-01-11 20:01:30 +01:00
|
|
|
|
|
|
|
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
|
2018-01-24 17:07:09 +01:00
|
|
|
|
|
|
|
# Allow shell binaries to exec the perfetto cmdline util and have that
|
|
|
|
# transition into its own domain, so that it behaves consistently to
|
|
|
|
# when exec()-d by statsd.
|
|
|
|
domain_auto_trans(shell, perfetto_exec, perfetto)
|
2018-12-06 14:28:01 +01:00
|
|
|
# Allow to send SIGINT to perfetto when daemonized.
|
|
|
|
allow shell perfetto:process signal;
|
2018-01-24 17:07:09 +01:00
|
|
|
|
2018-02-13 18:33:36 +01:00
|
|
|
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
|
|
|
|
binder_call(shell, statsd);
|
|
|
|
|
2021-02-09 21:03:40 +01:00
|
|
|
# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow shell accessibility_trace_data_file:dir rw_dir_perms;
|
|
|
|
allow shell accessibility_trace_data_file:file { r_file_perms unlink };
|
|
|
|
')
|
|
|
|
|
2018-01-24 17:07:09 +01:00
|
|
|
# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
|
|
|
|
allow shell perfetto_traces_data_file:dir rw_dir_perms;
|
2019-09-30 12:09:45 +02:00
|
|
|
allow shell perfetto_traces_data_file:file { r_file_perms unlink };
|
2021-01-18 10:26:57 +01:00
|
|
|
# ... and /data/misc/perfetto-traces/bugreport/ .
|
|
|
|
allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
|
|
|
|
allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
|
2018-09-18 02:06:19 +02:00
|
|
|
|
2020-10-13 22:13:09 +02:00
|
|
|
# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
|
|
|
|
allow shell perfetto_configs_data_file:dir rw_dir_perms;
|
|
|
|
allow shell perfetto_configs_data_file:file create_file_perms;
|
|
|
|
|
2018-11-28 00:21:43 +01:00
|
|
|
# Allow shell to run adb shell cmd gpu commands.
|
|
|
|
binder_call(shell, gpuservice);
|
|
|
|
|
2018-09-20 01:06:28 +02:00
|
|
|
# Allow shell to use atrace HAL
|
|
|
|
hal_client_domain(shell, hal_atrace)
|
2018-09-28 19:55:14 +02:00
|
|
|
|
|
|
|
# For hostside tests such as CTS listening ports test.
|
|
|
|
allow shell proc_net_tcp_udp:file r_file_perms;
|
2019-02-26 00:11:40 +01:00
|
|
|
|
|
|
|
# The dl.exec_linker* tests need to execute /system/bin/linker
|
|
|
|
# b/124789393
|
|
|
|
allow shell system_linker_exec:file rx_file_perms;
|
2019-02-26 21:30:42 +01:00
|
|
|
|
|
|
|
# Renderscript host side tests depend on being able to execute
|
|
|
|
# /system/bin/bcc (b/126388046)
|
|
|
|
allow shell rs_exec:file rx_file_perms;
|
2019-03-14 23:45:03 +01:00
|
|
|
|
2020-11-02 14:52:54 +01:00
|
|
|
# Allow (host-driven) ART run-tests to execute dex2oat, in order to
|
|
|
|
# check ART's compiler.
|
|
|
|
allow shell dex2oat_exec:file rx_file_perms;
|
2022-04-14 18:42:11 +02:00
|
|
|
allow shell dex2oat_exec:lnk_file read;
|
2020-11-02 14:52:54 +01:00
|
|
|
|
2019-03-14 23:45:03 +01:00
|
|
|
# Allow shell to start and comminicate with lpdumpd.
|
|
|
|
set_prop(shell, lpdumpd_prop);
|
|
|
|
binder_call(shell, lpdumpd)
|
2019-08-09 07:20:34 +02:00
|
|
|
|
2020-03-12 15:45:00 +01:00
|
|
|
# Allow shell to set and read value of properties used for CTS tests of
|
|
|
|
# userspace reboot
|
|
|
|
set_prop(shell, userspace_reboot_test_prop)
|
|
|
|
|
2021-11-18 00:48:47 +01:00
|
|
|
# Allow shell to set this property to disable charging.
|
|
|
|
set_prop(shell, power_debug_prop)
|
|
|
|
|
2021-02-24 07:29:06 +01:00
|
|
|
# Allow shell to set this property used for rollback tests
|
|
|
|
set_prop(shell, rollback_test_prop)
|
|
|
|
|
2023-02-24 20:50:51 +01:00
|
|
|
# Allow shell to set RKP properties for testing purposes
|
|
|
|
set_prop(shell, remote_prov_prop)
|
|
|
|
|
2019-09-27 22:33:27 +02:00
|
|
|
# Allow shell to get encryption policy of /data/local/tmp/, for CTS
|
|
|
|
allowxperm shell shell_data_file:dir ioctl {
|
|
|
|
FS_IOC_GET_ENCRYPTION_POLICY
|
|
|
|
FS_IOC_GET_ENCRYPTION_POLICY_EX
|
|
|
|
};
|
2020-01-10 20:02:43 +01:00
|
|
|
|
|
|
|
# Allow shell to execute simpleperf without a domain transition.
|
|
|
|
allow shell simpleperf_exec:file rx_file_perms;
|
|
|
|
|
2021-07-27 11:06:50 +02:00
|
|
|
userdebug_or_eng(`
|
|
|
|
# Allow shell to execute profcollectctl without a domain transition.
|
|
|
|
allow shell profcollectd_exec:file rx_file_perms;
|
|
|
|
|
|
|
|
# Allow shell to read profcollectd data files.
|
|
|
|
r_dir_file(shell, profcollectd_data_file)
|
|
|
|
|
|
|
|
# Allow to issue control commands to profcollectd binder service.
|
|
|
|
allow shell profcollectd:binder call;
|
|
|
|
')
|
2020-08-31 19:54:01 +02:00
|
|
|
|
2022-11-01 08:08:09 +01:00
|
|
|
# Allow shell to run remount command.
|
|
|
|
allow shell remount_exec:file rx_file_perms;
|
|
|
|
|
2020-01-10 20:02:43 +01:00
|
|
|
# Allow shell to call perf_event_open for profiling other shell processes, but
|
|
|
|
# not the whole system.
|
|
|
|
allow shell self:perf_event { open read write kernel };
|
2020-03-04 09:20:35 +01:00
|
|
|
|
2023-11-15 09:59:30 +01:00
|
|
|
# Allow shell to read microdroid vendor image
|
|
|
|
r_dir_file(shell, vendor_microdroid_file)
|
|
|
|
|
2021-06-14 01:30:43 +02:00
|
|
|
# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
|
2021-06-07 22:27:52 +02:00
|
|
|
allow shell apex_info_file:file r_file_perms;
|
2021-06-14 01:30:43 +02:00
|
|
|
allow shell vendor_apex_file:file r_file_perms;
|
|
|
|
allow shell vendor_apex_file:dir r_dir_perms;
|
2023-05-31 10:51:14 +02:00
|
|
|
allow shell vendor_apex_metadata_file:dir r_dir_perms;
|
2021-06-07 22:27:52 +02:00
|
|
|
|
2022-02-25 12:59:25 +01:00
|
|
|
# Allow shell to read updated APEXes under /data/apex
|
|
|
|
allow shell apex_data_file:dir search;
|
|
|
|
allow shell staging_data_file:file r_file_perms;
|
|
|
|
|
2020-03-04 09:20:35 +01:00
|
|
|
# Set properties.
|
|
|
|
set_prop(shell, shell_prop)
|
|
|
|
set_prop(shell, ctl_bugreport_prop)
|
|
|
|
set_prop(shell, ctl_dumpstate_prop)
|
|
|
|
set_prop(shell, dumpstate_prop)
|
|
|
|
set_prop(shell, exported_dumpstate_prop)
|
|
|
|
set_prop(shell, debug_prop)
|
2021-02-11 03:45:35 +01:00
|
|
|
set_prop(shell, perf_drop_caches_prop)
|
2020-03-04 09:20:35 +01:00
|
|
|
set_prop(shell, powerctl_prop)
|
|
|
|
set_prop(shell, log_tag_prop)
|
|
|
|
set_prop(shell, wifi_log_prop)
|
|
|
|
# Allow shell to start/stop traced via the persist.traced.enable
|
|
|
|
# property (which also takes care of /data/misc initialization).
|
|
|
|
set_prop(shell, traced_enabled_prop)
|
2023-11-10 10:58:01 +01:00
|
|
|
# adjust SELinux audit rates
|
|
|
|
set_prop(shell, logd_auditrate_prop)
|
2020-03-04 09:20:35 +01:00
|
|
|
# adjust is_loggable properties
|
|
|
|
userdebug_or_eng(`set_prop(shell, log_prop)')
|
|
|
|
# logpersist script
|
|
|
|
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
|
|
|
|
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
|
|
|
|
# property.
|
|
|
|
set_prop(shell, heapprofd_enabled_prop)
|
|
|
|
# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
|
|
|
|
# property.
|
|
|
|
set_prop(shell, traced_perf_enabled_prop)
|
|
|
|
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
|
|
|
|
set_prop(shell, ctl_gsid_prop)
|
2020-11-13 09:45:59 +01:00
|
|
|
set_prop(shell, ctl_snapuserd_prop)
|
2020-03-04 09:20:35 +01:00
|
|
|
# Allow shell to enable Dynamic System Update
|
|
|
|
set_prop(shell, dynamic_system_prop)
|
|
|
|
# Allow shell to mock an OTA using persist.pm.mock-upgrade
|
|
|
|
set_prop(shell, mock_ota_prop)
|
|
|
|
|
|
|
|
# Read device's serial number from system properties
|
|
|
|
get_prop(shell, serialno_prop)
|
|
|
|
|
|
|
|
# Allow shell to read the vendor security patch level for CTS
|
|
|
|
get_prop(shell, vendor_security_patch_level_prop)
|
|
|
|
|
|
|
|
# Read state of logging-related properties
|
|
|
|
get_prop(shell, device_logging_prop)
|
|
|
|
|
|
|
|
# Read state of boot reason properties
|
|
|
|
get_prop(shell, bootloader_boot_reason_prop)
|
|
|
|
get_prop(shell, last_boot_reason_prop)
|
|
|
|
get_prop(shell, system_boot_reason_prop)
|
|
|
|
|
2022-10-07 21:51:15 +02:00
|
|
|
# Allow shell to execute the remote key provisioning factory tool
|
|
|
|
binder_call(shell, hal_keymint)
|
|
|
|
|
2020-03-04 09:20:35 +01:00
|
|
|
# Allow reading the outcome of perf_event_open LSM support test for CTS.
|
|
|
|
get_prop(shell, init_perf_lsm_hooks_prop)
|
|
|
|
|
2020-10-07 02:52:17 +02:00
|
|
|
# Allow shell to read boot image timestamps and fingerprints.
|
|
|
|
get_prop(shell, build_bootimage_prop)
|
|
|
|
|
2021-08-05 15:11:04 +02:00
|
|
|
# Allow shell to read odsign verification properties
|
|
|
|
get_prop(shell, odsign_prop)
|
|
|
|
|
2020-03-04 09:20:35 +01:00
|
|
|
userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
|
2020-06-03 21:20:41 +02:00
|
|
|
|
2020-07-27 22:07:39 +02:00
|
|
|
# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
|
|
|
|
allow shell keystore2_key_contexts_file:file r_file_perms;
|
|
|
|
|
|
|
|
# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
|
2020-09-24 17:55:28 +02:00
|
|
|
allow shell shell_key:keystore2_key { delete rebind use get_info update };
|
2020-11-17 05:54:52 +01:00
|
|
|
|
2021-07-19 23:32:41 +02:00
|
|
|
# Allow shell to open and execute memfd files for minijail unit tests.
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow shell appdomain_tmpfs:file { open execute_no_trans };
|
|
|
|
')
|
|
|
|
|
2020-11-17 05:54:52 +01:00
|
|
|
# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
|
|
|
|
set_prop(shell, sqlite_log_prop)
|
2020-12-04 02:23:06 +01:00
|
|
|
|
|
|
|
# Allow shell to write MTE properties even on user builds.
|
|
|
|
set_prop(shell, arm64_memtag_prop)
|
2024-03-15 16:26:31 +01:00
|
|
|
set_prop(shell, permissive_mte_prop)
|
2021-01-20 08:02:51 +01:00
|
|
|
|
2024-02-21 16:18:14 +01:00
|
|
|
# Allow shell to write kcmdline properties even on user builds.
|
|
|
|
set_prop(shell, kcmdline_prop)
|
|
|
|
|
2021-01-20 08:02:51 +01:00
|
|
|
# Allow shell to read the dm-verity props on user builds.
|
|
|
|
get_prop(shell, verity_status_prop)
|
2021-02-17 21:06:12 +01:00
|
|
|
|
|
|
|
# Allow shell to read Virtual A/B related properties
|
|
|
|
get_prop(shell, virtual_ab_prop)
|
2021-02-11 03:45:35 +01:00
|
|
|
|
2021-04-09 07:39:20 +02:00
|
|
|
# Allow ReadDefaultFstab() for CTS.
|
|
|
|
read_fstab(shell)
|
2021-06-10 16:37:25 +02:00
|
|
|
|
|
|
|
# Allow shell read access to /apex/apex-info-list.xml for CTS.
|
|
|
|
allow shell apex_info_file:file r_file_perms;
|
2021-07-10 07:35:06 +02:00
|
|
|
|
2021-09-02 12:10:59 +02:00
|
|
|
# Let the shell user call virtualizationservice (and
|
|
|
|
# virtualizationservice call back to shell) for debugging.
|
|
|
|
virtualizationservice_use(shell)
|
2022-03-02 23:13:58 +01:00
|
|
|
|
|
|
|
# Allow shell to set persist.wm.debug properties
|
|
|
|
userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
|
2022-03-22 23:59:57 +01:00
|
|
|
|
|
|
|
# Allow shell to write GWP-ASan properties even on user builds.
|
|
|
|
set_prop(shell, gwp_asan_prop)
|
2023-03-23 03:19:22 +01:00
|
|
|
|
|
|
|
# Allow shell to set persist.sysui.notification.builder_extras_override property
|
|
|
|
userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
|
2023-05-31 23:25:50 +02:00
|
|
|
# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
|
|
|
|
userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
|
2023-03-23 03:19:22 +01:00
|
|
|
|
2023-09-12 05:24:05 +02:00
|
|
|
# Allow shell to read the build properties for attestation feature
|
|
|
|
get_prop(shell, build_attestation_prop)
|
|
|
|
|
2023-12-15 01:48:23 +01:00
|
|
|
# Allow shell to execute oatdump.
|
|
|
|
allow shell oatdump_exec:file rx_file_perms;
|
2024-03-19 03:33:00 +01:00
|
|
|
|
|
|
|
# Allow shell access to socket for test
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow shell aconfigd_socket:sock_file write;
|
|
|
|
allow shell aconfigd:unix_stream_socket connectto;
|
|
|
|
')
|
2024-03-27 09:18:41 +01:00
|
|
|
|
|
|
|
# Create and use network sockets.
|
|
|
|
net_domain(shell)
|
|
|
|
|
|
|
|
# logcat
|
|
|
|
read_logd(shell)
|
|
|
|
control_logd(shell)
|
|
|
|
get_prop(shell, logd_prop)
|
|
|
|
# logcat -L (directly, or via dumpstate)
|
|
|
|
allow shell pstorefs:dir search;
|
|
|
|
allow shell pstorefs:file r_file_perms;
|
|
|
|
|
|
|
|
# Root fs.
|
|
|
|
allow shell rootfs:dir r_dir_perms;
|
|
|
|
|
|
|
|
# read files in /data/anr
|
|
|
|
allow shell anr_data_file:dir r_dir_perms;
|
|
|
|
allow shell anr_data_file:file r_file_perms;
|
|
|
|
|
|
|
|
# Access /data/local/tmp.
|
|
|
|
allow shell shell_data_file:dir create_dir_perms;
|
|
|
|
allow shell shell_data_file:file create_file_perms;
|
|
|
|
allow shell shell_data_file:file rx_file_perms;
|
|
|
|
allow shell shell_data_file:lnk_file create_file_perms;
|
|
|
|
|
|
|
|
# Access /data/local/tests.
|
|
|
|
allow shell shell_test_data_file:dir create_dir_perms;
|
|
|
|
allow shell shell_test_data_file:file create_file_perms;
|
|
|
|
allow shell shell_test_data_file:file rx_file_perms;
|
|
|
|
allow shell shell_test_data_file:lnk_file create_file_perms;
|
|
|
|
allow shell shell_test_data_file:sock_file create_file_perms;
|
|
|
|
|
|
|
|
# Read and delete from /data/local/traces.
|
|
|
|
allow shell trace_data_file:file { r_file_perms unlink };
|
|
|
|
allow shell trace_data_file:dir { r_dir_perms remove_name write };
|
|
|
|
|
|
|
|
# Access /data/misc/profman.
|
|
|
|
allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
|
|
|
|
allow shell profman_dump_data_file:file { unlink r_file_perms };
|
|
|
|
|
|
|
|
# Read/execute files in /data/nativetest
|
|
|
|
userdebug_or_eng(`
|
|
|
|
allow shell nativetest_data_file:dir r_dir_perms;
|
|
|
|
allow shell nativetest_data_file:file rx_file_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
# adb bugreport
|
|
|
|
unix_socket_connect(shell, dumpstate, dumpstate)
|
|
|
|
|
|
|
|
allow shell devpts:chr_file rw_file_perms;
|
|
|
|
allow shell tty_device:chr_file rw_file_perms;
|
|
|
|
allow shell console_device:chr_file rw_file_perms;
|
|
|
|
|
|
|
|
allow shell input_device:dir r_dir_perms;
|
|
|
|
allow shell input_device:chr_file r_file_perms;
|
|
|
|
|
|
|
|
r_dir_file(shell, system_file)
|
|
|
|
allow shell system_file:file x_file_perms;
|
|
|
|
allow shell toolbox_exec:file rx_file_perms;
|
|
|
|
allow shell shell_exec:file rx_file_perms;
|
|
|
|
allow shell zygote_exec:file rx_file_perms;
|
|
|
|
|
|
|
|
userdebug_or_eng(`
|
|
|
|
# "systrace --boot" support - allow boottrace service to run
|
|
|
|
allow shell boottrace_data_file:dir rw_dir_perms;
|
|
|
|
allow shell boottrace_data_file:file create_file_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
# allow shell access to services
|
|
|
|
allow shell servicemanager:service_manager list;
|
|
|
|
# don't allow shell to access GateKeeper service
|
|
|
|
# TODO: why is this so broad? Tightening candidate? It needs at list:
|
|
|
|
# - dumpstate_service (so it can receive dumpstate progress updates)
|
|
|
|
allow shell {
|
|
|
|
service_manager_type
|
|
|
|
-apex_service
|
|
|
|
-dnsresolver_service
|
|
|
|
-gatekeeper_service
|
|
|
|
-hal_keymint_service
|
|
|
|
-hal_secureclock_service
|
|
|
|
-hal_sharedsecret_service
|
|
|
|
-incident_service
|
|
|
|
-installd_service
|
|
|
|
-mdns_service
|
|
|
|
-netd_service
|
|
|
|
-system_suspend_control_internal_service
|
|
|
|
-system_suspend_control_service
|
|
|
|
-virtual_touchpad_service
|
|
|
|
-vold_service
|
|
|
|
-default_android_service
|
|
|
|
}:service_manager find;
|
|
|
|
allow shell dumpstate:binder call;
|
|
|
|
|
|
|
|
# allow shell to get information from hwservicemanager
|
|
|
|
# for instance, listing hardware services with lshal
|
|
|
|
hwbinder_use(shell)
|
|
|
|
allow shell hwservicemanager:hwservice_manager list;
|
|
|
|
|
|
|
|
# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
|
|
|
|
r_dir_file(shell, proc_net_type)
|
|
|
|
|
|
|
|
allow shell {
|
|
|
|
proc_asound
|
2024-04-26 20:28:28 +02:00
|
|
|
proc_cgroups
|
2024-03-27 09:18:41 +01:00
|
|
|
proc_filesystems
|
|
|
|
proc_interrupts
|
|
|
|
proc_loadavg # b/124024827
|
|
|
|
proc_meminfo
|
|
|
|
proc_modules
|
|
|
|
proc_pid_max
|
|
|
|
proc_slabinfo
|
|
|
|
proc_stat
|
|
|
|
proc_timer
|
|
|
|
proc_uptime
|
|
|
|
proc_version
|
|
|
|
proc_vmstat
|
|
|
|
proc_zoneinfo
|
|
|
|
}:file r_file_perms;
|
|
|
|
|
|
|
|
# allow listing network interfaces under /sys/class/net.
|
|
|
|
allow shell sysfs_net:dir r_dir_perms;
|
|
|
|
|
|
|
|
r_dir_file(shell, cgroup)
|
|
|
|
allow shell cgroup_desc_file:file r_file_perms;
|
|
|
|
allow shell cgroup_desc_api_file:file r_file_perms;
|
|
|
|
allow shell vendor_cgroup_desc_file:file r_file_perms;
|
|
|
|
r_dir_file(shell, cgroup_v2)
|
|
|
|
allow shell domain:dir { search open read getattr };
|
|
|
|
allow shell domain:{ file lnk_file } { open read getattr };
|
|
|
|
|
|
|
|
# statvfs() of /proc and other labeled filesystems
|
|
|
|
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
|
|
|
|
allow shell { proc labeledfs }:filesystem getattr;
|
|
|
|
|
|
|
|
# stat() of /dev
|
|
|
|
allow shell device:dir getattr;
|
|
|
|
|
|
|
|
# allow shell to read /proc/pid/attr/current for ps -Z
|
|
|
|
allow shell domain:process getattr;
|
|
|
|
|
|
|
|
# Allow pulling the SELinux policy for CTS purposes
|
|
|
|
allow shell selinuxfs:dir r_dir_perms;
|
|
|
|
allow shell selinuxfs:file r_file_perms;
|
|
|
|
|
|
|
|
# enable shell domain to read/write files/dirs for bootchart data
|
|
|
|
# User will creates the start and stop file via adb shell
|
|
|
|
# and read other files created by init process under /data/bootchart
|
|
|
|
allow shell bootchart_data_file:dir rw_dir_perms;
|
|
|
|
allow shell bootchart_data_file:file create_file_perms;
|
|
|
|
|
|
|
|
# Make sure strace works for the non-privileged shell user
|
|
|
|
allow shell self:process ptrace;
|
|
|
|
|
|
|
|
# allow shell to get battery info
|
|
|
|
allow shell sysfs:dir r_dir_perms;
|
|
|
|
allow shell sysfs_batteryinfo:dir r_dir_perms;
|
|
|
|
allow shell sysfs_batteryinfo:file r_file_perms;
|
|
|
|
|
2024-04-26 21:27:06 +02:00
|
|
|
# Allow reads (but not writes) of the MGLRU state
|
|
|
|
allow shell sysfs_lru_gen_enabled:file r_file_perms;
|
|
|
|
|
2024-03-27 09:18:41 +01:00
|
|
|
# Allow access to ion memory allocation device.
|
|
|
|
allow shell ion_device:chr_file rw_file_perms;
|
|
|
|
|
|
|
|
#
|
|
|
|
# filesystem test for insecure chr_file's is done
|
|
|
|
# via a host side test
|
|
|
|
#
|
|
|
|
allow shell dev_type:dir r_dir_perms;
|
|
|
|
allow shell dev_type:chr_file getattr;
|
|
|
|
|
|
|
|
# /dev/fd is a symlink
|
|
|
|
allow shell proc:lnk_file getattr;
|
|
|
|
|
|
|
|
#
|
|
|
|
# filesystem test for insucre blk_file's is done
|
|
|
|
# via hostside test
|
|
|
|
#
|
|
|
|
allow shell dev_type:blk_file getattr;
|
|
|
|
|
|
|
|
# read selinux policy files
|
|
|
|
allow shell file_contexts_file:file r_file_perms;
|
|
|
|
allow shell property_contexts_file:file r_file_perms;
|
|
|
|
allow shell seapp_contexts_file:file r_file_perms;
|
|
|
|
allow shell service_contexts_file:file r_file_perms;
|
|
|
|
allow shell sepolicy_file:file r_file_perms;
|
|
|
|
|
|
|
|
# Allow shell to start up vendor shell
|
|
|
|
allow shell vendor_shell_exec:file rx_file_perms;
|
|
|
|
|
|
|
|
# Everything is labeled as rootfs in recovery mode. Allow shell to
|
|
|
|
# execute them.
|
|
|
|
recovery_only(`
|
|
|
|
allow shell rootfs:file rx_file_perms;
|
|
|
|
')
|
|
|
|
|
|
|
|
###
|
|
|
|
### Neverallow rules
|
|
|
|
###
|
|
|
|
|
|
|
|
# Do not allow shell to talk directly to security HAL services other than
|
|
|
|
# hal_remotelyprovisionedcomponent_service
|
|
|
|
neverallow shell {
|
|
|
|
hal_keymint_service
|
|
|
|
hal_secureclock_service
|
|
|
|
hal_sharedsecret_service
|
|
|
|
}:service_manager find;
|
|
|
|
|
|
|
|
# Do not allow shell to hard link to any files.
|
|
|
|
# In particular, if shell hard links to app data
|
|
|
|
# files, installd will not be able to guarantee the deletion
|
|
|
|
# of the linked to file. Hard links also contribute to security
|
|
|
|
# bugs, so we want to ensure the shell user never has this
|
|
|
|
# capability.
|
|
|
|
neverallow shell file_type:file link;
|
|
|
|
|
|
|
|
# Do not allow privileged socket ioctl commands
|
|
|
|
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
|
|
|
|
|
|
|
|
# limit shell access to sensitive char drivers to
|
|
|
|
# only getattr required for host side test.
|
|
|
|
neverallow shell {
|
|
|
|
fuse_device
|
|
|
|
hw_random_device
|
|
|
|
port_device
|
|
|
|
}:chr_file ~getattr;
|
|
|
|
|
|
|
|
# Limit shell to only getattr on blk devices for host side tests.
|
|
|
|
neverallow shell dev_type:blk_file ~getattr;
|
|
|
|
|
|
|
|
# b/30861057: Shell access to existing input devices is an abuse
|
|
|
|
# vector. The shell user can inject events that look like they
|
|
|
|
# originate from the touchscreen etc.
|
|
|
|
# Everyone should have already moved to UiAutomation#injectInputEvent
|
|
|
|
# if they are running instrumentation tests (i.e. CTS), Monkey for
|
|
|
|
# their stress tests, and the input command (adb shell input ...) for
|
|
|
|
# injecting swipes and things.
|
|
|
|
neverallow shell input_device:chr_file no_w_file_perms;
|
|
|
|
|
|
|
|
neverallow shell self:perf_event ~{ open read write kernel };
|
|
|
|
|
|
|
|
# Never allow others to set or get the perf.drop_caches property.
|
|
|
|
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
|
|
|
|
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
|