• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Domain for shell processes spawned by ADB or console service.
2type shell, domain, mlstrustedsubject;
3type shell_exec, system_file_type, exec_type, file_type;
4
5# Create and use network sockets.
6net_domain(shell)
7
8# logcat
9read_logd(shell)
10control_logd(shell)
11# logcat -L (directly, or via dumpstate)
12allow shell pstorefs:dir search;
13allow shell pstorefs:file r_file_perms;
14
15# Root fs.
16allow shell rootfs:dir r_dir_perms;
17
18# read files in /data/anr
19allow shell anr_data_file:dir r_dir_perms;
20allow shell anr_data_file:file r_file_perms;
21
22# Access /data/local/tmp.
23allow shell shell_data_file:dir create_dir_perms;
24allow shell shell_data_file:file create_file_perms;
25allow shell shell_data_file:file rx_file_perms;
26allow shell shell_data_file:lnk_file create_file_perms;
27
28# Read and delete from /data/local/traces.
29allow shell trace_data_file:file { r_file_perms unlink };
30allow shell trace_data_file:dir { r_dir_perms remove_name write };
31
32# Access /data/misc/profman.
33allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
34allow shell profman_dump_data_file:file { unlink r_file_perms };
35
36# Read/execute files in /data/nativetest
37userdebug_or_eng(`
38  allow shell nativetest_data_file:dir r_dir_perms;
39  allow shell nativetest_data_file:file rx_file_perms;
40')
41
42# adb bugreport
43unix_socket_connect(shell, dumpstate, dumpstate)
44
45allow shell devpts:chr_file rw_file_perms;
46allow shell tty_device:chr_file rw_file_perms;
47allow shell console_device:chr_file rw_file_perms;
48
49allow shell input_device:dir r_dir_perms;
50allow shell input_device:chr_file r_file_perms;
51
52r_dir_file(shell, system_file)
53allow shell system_file:file x_file_perms;
54allow shell toolbox_exec:file rx_file_perms;
55allow shell tzdatacheck_exec:file rx_file_perms;
56allow shell shell_exec:file rx_file_perms;
57allow shell zygote_exec:file rx_file_perms;
58
59r_dir_file(shell, apk_data_file)
60
61# Set properties.
62set_prop(shell, shell_prop)
63set_prop(shell, ctl_bugreport_prop)
64set_prop(shell, ctl_dumpstate_prop)
65set_prop(shell, dumpstate_prop)
66set_prop(shell, exported_dumpstate_prop)
67set_prop(shell, debug_prop)
68set_prop(shell, powerctl_prop)
69set_prop(shell, log_tag_prop)
70set_prop(shell, wifi_log_prop)
71# Allow shell to start/stop traced via the persist.traced.enable
72# property (which also takes care of /data/misc initialization).
73set_prop(shell, traced_enabled_prop)
74# adjust is_loggable properties
75userdebug_or_eng(`set_prop(shell, log_prop)')
76# logpersist script
77userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
78# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
79# property.
80set_prop(shell, heapprofd_enabled_prop)
81# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
82set_prop(shell, ctl_gsid_prop)
83# Allow shell to enable Dynamic System Update
84set_prop(shell, dynamic_system_prop)
85
86userdebug_or_eng(`
87  # "systrace --boot" support - allow boottrace service to run
88  allow shell boottrace_data_file:dir rw_dir_perms;
89  allow shell boottrace_data_file:file create_file_perms;
90  set_prop(shell, persist_debug_prop)
91')
92
93# Read device's serial number from system properties
94get_prop(shell, serialno_prop)
95
96# Allow shell to read the vendor security patch level for CTS
97get_prop(shell, vendor_security_patch_level_prop)
98
99# Read state of logging-related properties
100get_prop(shell, device_logging_prop)
101
102# Read state of boot reason properties
103get_prop(shell, bootloader_boot_reason_prop)
104get_prop(shell, last_boot_reason_prop)
105get_prop(shell, system_boot_reason_prop)
106
107# allow shell access to services
108allow shell servicemanager:service_manager list;
109# don't allow shell to access GateKeeper service
110# TODO: why is this so broad? Tightening candidate? It needs at list:
111# - dumpstate_service (so it can receive dumpstate progress updates)
112allow shell {
113  service_manager_type
114  -apex_service
115  -dnsresolver_service
116  -gatekeeper_service
117  -incident_service
118  -installd_service
119  -iorapd_service
120  -netd_service
121  -system_suspend_control_service
122  -virtual_touchpad_service
123  -vold_service
124  -vr_hwc_service
125}:service_manager find;
126allow shell dumpstate:binder call;
127
128# allow shell to get information from hwservicemanager
129# for instance, listing hardware services with lshal
130hwbinder_use(shell)
131allow shell hwservicemanager:hwservice_manager list;
132
133# allow shell to look through /proc/ for lsmod, ps, top, netstat.
134r_dir_file(shell, proc_net_type)
135
136allow shell {
137  proc_asound
138  proc_filesystems
139  proc_interrupts
140  proc_loadavg # b/124024827
141  proc_meminfo
142  proc_modules
143  proc_pid_max
144  proc_slabinfo
145  proc_stat
146  proc_timer
147  proc_uptime
148  proc_version
149  proc_zoneinfo
150}:file r_file_perms;
151
152# allow listing network interfaces under /sys/class/net.
153allow shell sysfs_net:dir r_dir_perms;
154
155r_dir_file(shell, cgroup)
156allow shell domain:dir { search open read getattr };
157allow shell domain:{ file lnk_file } { open read getattr };
158
159# statvfs() of /proc and other labeled filesystems
160# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
161allow shell { proc labeledfs }:filesystem getattr;
162
163# stat() of /dev
164allow shell device:dir getattr;
165
166# allow shell to read /proc/pid/attr/current for ps -Z
167allow shell domain:process getattr;
168
169# Allow pulling the SELinux policy for CTS purposes
170allow shell selinuxfs:dir r_dir_perms;
171allow shell selinuxfs:file r_file_perms;
172
173# enable shell domain to read/write files/dirs for bootchart data
174# User will creates the start and stop file via adb shell
175# and read other files created by init process under /data/bootchart
176allow shell bootchart_data_file:dir rw_dir_perms;
177allow shell bootchart_data_file:file create_file_perms;
178
179# Make sure strace works for the non-privileged shell user
180allow shell self:process ptrace;
181
182# allow shell to get battery info
183allow shell sysfs:dir r_dir_perms;
184allow shell sysfs_batteryinfo:dir r_dir_perms;
185allow shell sysfs_batteryinfo:file r_file_perms;
186
187# Allow access to ion memory allocation device.
188allow shell ion_device:chr_file rw_file_perms;
189
190#
191# filesystem test for insecure chr_file's is done
192# via a host side test
193#
194allow shell dev_type:dir r_dir_perms;
195allow shell dev_type:chr_file getattr;
196
197# /dev/fd is a symlink
198allow shell proc:lnk_file getattr;
199
200#
201# filesystem test for insucre blk_file's is done
202# via hostside test
203#
204allow shell dev_type:blk_file getattr;
205
206# read selinux policy files
207allow shell file_contexts_file:file r_file_perms;
208allow shell property_contexts_file:file r_file_perms;
209allow shell seapp_contexts_file:file r_file_perms;
210allow shell service_contexts_file:file r_file_perms;
211allow shell sepolicy_file:file r_file_perms;
212
213# Allow shell to start up vendor shell
214allow shell vendor_shell_exec:file rx_file_perms;
215
216# Everything is labeled as rootfs in recovery mode. Allow shell to
217# execute them.
218recovery_only(`
219  allow shell rootfs:file rx_file_perms;
220')
221
222###
223### Neverallow rules
224###
225
226# Do not allow shell to hard link to any files.
227# In particular, if shell hard links to app data
228# files, installd will not be able to guarantee the deletion
229# of the linked to file. Hard links also contribute to security
230# bugs, so we want to ensure the shell user never has this
231# capability.
232neverallow shell file_type:file link;
233
234# Do not allow privileged socket ioctl commands
235neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
236
237# limit shell access to sensitive char drivers to
238# only getattr required for host side test.
239neverallow shell {
240  fuse_device
241  hw_random_device
242  port_device
243}:chr_file ~getattr;
244
245# Limit shell to only getattr on blk devices for host side tests.
246neverallow shell dev_type:blk_file ~getattr;
247
248# b/30861057: Shell access to existing input devices is an abuse
249# vector. The shell user can inject events that look like they
250# originate from the touchscreen etc.
251# Everyone should have already moved to UiAutomation#injectInputEvent
252# if they are running instrumentation tests (i.e. CTS), Monkey for
253# their stress tests, and the input command (adb shell input ...) for
254# injecting swipes and things.
255neverallow shell input_device:chr_file no_w_file_perms;
256