2f5a6a96bd
A common source of mistakes when authoring sepolicy is properly
setting up property sets. This is a 3 part step of:
1. Allowing the unix domain connection to the init/property service
2. Allowing write on the property_socket file
3. Allowing the set on class property_service
The macro unix_socket_connect() handled 1 and 2, but could be
confusing for first time policy authors. 3 had to be explicitly
added.
To correct this, we introduce a new macros:
set_prop(sourcedomain, targetprop)
This macro handles steps 1, 2 and 3.
No difference in sediff is expected.
(cherrypicked from commit 625a3526f1
)
Change-Id: I630ba0178439c935d08062892990d43a3cc1239e
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
84 lines
2.8 KiB
Text
84 lines
2.8 KiB
Text
# Domain for shell processes spawned by ADB or console service.
|
|
type shell, domain, mlstrustedsubject;
|
|
type shell_exec, exec_type, file_type;
|
|
|
|
# Create and use network sockets.
|
|
net_domain(shell)
|
|
|
|
# Run app_process.
|
|
# XXX Transition into its own domain?
|
|
app_domain(shell)
|
|
|
|
# logcat
|
|
read_logd(shell)
|
|
control_logd(shell)
|
|
# logcat -L (directly, or via dumpstate)
|
|
allow shell pstorefs:dir search;
|
|
allow shell pstorefs:file r_file_perms;
|
|
|
|
# read files in /data/anr
|
|
allow shell anr_data_file:dir r_dir_perms;
|
|
allow shell anr_data_file:file r_file_perms;
|
|
|
|
# Access /data/local/tmp.
|
|
allow shell shell_data_file:dir create_dir_perms;
|
|
allow shell shell_data_file:file create_file_perms;
|
|
allow shell shell_data_file:file rx_file_perms;
|
|
allow shell shell_data_file:lnk_file create_file_perms;
|
|
|
|
# adb bugreport
|
|
unix_socket_connect(shell, dumpstate, dumpstate)
|
|
|
|
allow shell devpts:chr_file rw_file_perms;
|
|
allow shell tty_device:chr_file rw_file_perms;
|
|
allow shell console_device:chr_file rw_file_perms;
|
|
allow shell input_device:dir r_dir_perms;
|
|
allow shell input_device:chr_file rw_file_perms;
|
|
allow shell system_file:file x_file_perms;
|
|
allow shell shell_exec:file rx_file_perms;
|
|
allow shell zygote_exec:file rx_file_perms;
|
|
|
|
r_dir_file(shell, apk_data_file)
|
|
|
|
# Set properties.
|
|
set_prop(shell, shell_prop)
|
|
set_prop(shell, ctl_dumpstate_prop)
|
|
set_prop(shell, debug_prop)
|
|
set_prop(shell, powerctl_prop)
|
|
|
|
# systrace support - allow atrace to run
|
|
# debugfs doesn't support labeling individual files, so we have
|
|
# to grant read access to all of /sys/kernel/debug.
|
|
# Directory read access and file write access is already granted
|
|
# in domain.te.
|
|
allow shell debugfs:file r_file_perms;
|
|
|
|
# allow shell to run dmesg
|
|
allow shell kernel:system syslog_read;
|
|
|
|
# allow shell access to services
|
|
allow shell servicemanager:service_manager list;
|
|
# don't allow shell to access GateKeeper service
|
|
allow shell { service_manager_type -gatekeeper_service }:service_manager find;
|
|
service_manager_local_audit_domain(shell)
|
|
|
|
# allow shell to look through /proc/ for ps, top
|
|
allow shell domain:dir { search open read getattr };
|
|
allow shell domain:{ file lnk_file } { open read getattr };
|
|
|
|
# allow shell to read /proc/pid/attr/current for ps -Z
|
|
allow shell domain:process getattr;
|
|
|
|
# enable shell domain to read/write files/dirs for bootchart data
|
|
# User will creates the start and stop file via adb shell
|
|
# and read other files created by init process under /data/bootchart
|
|
allow shell bootchart_data_file:dir rw_dir_perms;
|
|
allow shell bootchart_data_file:file create_file_perms;
|
|
|
|
# Do not allow shell to hard link to any files.
|
|
# In particular, if shell hard links to app data
|
|
# files, installd will not be able to guarantee the deletion
|
|
# of the linked to file. Hard links also contribute to security
|
|
# bugs, so we want to ensure the shell user never has this
|
|
# capability.
|
|
neverallow shell file_type:file link;
|