From 42fb824ca9f3e46b4419f05083f2694ac67a8229 Mon Sep 17 00:00:00 2001 From: Stephen Smalley Date: Wed, 11 Jun 2014 07:10:09 -0400 Subject: [PATCH] Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init..rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init..rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley --- app.te | 2 +- attributes | 3 --- domain.te | 2 +- init_shell.te | 6 ++---- shell.te | 38 ++++++++++++++++++++++++++++++++++++-- shelldomain.te | 37 ------------------------------------- 6 files changed, 40 insertions(+), 48 deletions(-) delete mode 100644 shelldomain.te diff --git a/app.te b/app.te index 9df1a083b..44cd26631 100644 --- a/app.te +++ b/app.te @@ -316,7 +316,7 @@ neverallow { appdomain -unconfineddomain } # Access to syslog(2) or /proc/kmsg. neverallow { appdomain -system_app } kernel:system { syslog_mod syslog_console }; -neverallow { appdomain -system_app -shelldomain } +neverallow { appdomain -system_app -shell } kernel:system syslog_read; # Ability to perform any filesystem operation other than statfs(2). diff --git a/attributes b/attributes index 9d13a1b61..261500ffa 100644 --- a/attributes +++ b/attributes @@ -50,9 +50,6 @@ attribute mlstrustedobject; # Domains that are allowed all permissions ("unconfined"). attribute unconfineddomain; -# All domains used for shells. -attribute shelldomain; - # All domains used for apps. attribute appdomain; diff --git a/domain.te b/domain.te index dbe232469..c5db6bb46 100644 --- a/domain.te +++ b/domain.te @@ -248,7 +248,7 @@ neverallow { domain -appdomain -dumpstate - -shelldomain + -shell userdebug_or_eng(`-su') -system_server -zygote diff --git a/init_shell.te b/init_shell.te index e1ca03a0c..d2e4d74fd 100644 --- a/init_shell.te +++ b/init_shell.te @@ -1,8 +1,6 @@ # Restricted domain for shell processes spawned by init. # Normally these are shell commands or scripts invoked via sh # from an init*.rc file. No service should ever run in this domain. -type init_shell, domain, shelldomain; +type init_shell, domain; domain_auto_trans(init, shell_exec, init_shell) -unconfined_domain(init_shell) - -# inherits from shelldomain.te +permissive_or_unconfined(init_shell) diff --git a/shell.te b/shell.te index 50cc4f523..6df9c852a 100644 --- a/shell.te +++ b/shell.te @@ -1,5 +1,5 @@ # Domain for shell processes spawned by ADB or console service. -type shell, domain, shelldomain, mlstrustedsubject; +type shell, domain, mlstrustedsubject; type shell_exec, exec_type, file_type; # Create and use network sockets. @@ -17,4 +17,38 @@ control_logd(shell) allow shell anr_data_file:dir r_dir_perms; allow shell anr_data_file:file r_file_perms; -# inherits from shelldomain.te +# Access /data/local/tmp. +allow shell shell_data_file:dir create_dir_perms; +allow shell shell_data_file:file create_file_perms; +allow shell shell_data_file:file rx_file_perms; + +# adb bugreport +unix_socket_connect(shell, dumpstate, dumpstate) + +allow shell rootfs:dir r_dir_perms; +allow shell devpts:chr_file rw_file_perms; +allow shell tty_device:chr_file rw_file_perms; +allow shell console_device:chr_file rw_file_perms; +allow shell input_device:chr_file rw_file_perms; +allow shell system_file:file x_file_perms; +allow shell shell_exec:file rx_file_perms; +allow shell zygote_exec:file rx_file_perms; + +r_dir_file(shell, apk_data_file) + +# Set properties. +unix_socket_connect(shell, property, init) +allow shell shell_prop:property_service set; +allow shell ctl_dumpstate_prop:property_service set; +allow shell debug_prop:property_service set; +allow shell powerctl_prop:property_service set; + +# systrace support - allow atrace to run +# debugfs doesn't support labeling individual files, so we have +# to grant read access to all of /sys/kernel/debug. +# Directory read access and file write access is already granted +# in domain.te. +allow shell debugfs:file r_file_perms; + +# allow shell to run dmesg +allow shell kernel:system syslog_read; diff --git a/shelldomain.te b/shelldomain.te deleted file mode 100644 index 3dd0941f4..000000000 --- a/shelldomain.te +++ /dev/null @@ -1,37 +0,0 @@ -# Rules for all shell domains (e.g. console service and adb shell). - -# Access /data/local/tmp. -allow shelldomain shell_data_file:dir create_dir_perms; -allow shelldomain shell_data_file:file create_file_perms; -allow shelldomain shell_data_file:file rx_file_perms; - -# adb bugreport -unix_socket_connect(shelldomain, dumpstate, dumpstate) - -allow shelldomain rootfs:dir r_dir_perms; -allow shelldomain devpts:chr_file rw_file_perms; -allow shelldomain tty_device:chr_file rw_file_perms; -allow shelldomain console_device:chr_file rw_file_perms; -allow shelldomain input_device:chr_file rw_file_perms; -allow shelldomain system_file:file x_file_perms; -allow shelldomain shell_exec:file rx_file_perms; -allow shelldomain zygote_exec:file rx_file_perms; - -r_dir_file(shelldomain, apk_data_file) - -# Set properties. -unix_socket_connect(shelldomain, property, init) -allow shelldomain shell_prop:property_service set; -allow shelldomain ctl_dumpstate_prop:property_service set; -allow shelldomain debug_prop:property_service set; -allow shelldomain powerctl_prop:property_service set; - -# systrace support - allow atrace to run -# debugfs doesn't support labeling individual files, so we have -# to grant read access to all of /sys/kernel/debug. -# Directory read access and file write access is already granted -# in domain.te. -allow shelldomain debugfs:file r_file_perms; - -# allow shell to run dmesg -allow shelldomain kernel:system syslog_read;