1# Domain for shell processes spawned by ADB or console service. 2type shell, domain, mlstrustedsubject; 3type shell_exec, system_file_type, exec_type, file_type; 4 5# Create and use network sockets. 6net_domain(shell) 7 8# logcat 9read_logd(shell) 10control_logd(shell) 11# logcat -L (directly, or via dumpstate) 12allow shell pstorefs:dir search; 13allow shell pstorefs:file r_file_perms; 14 15# Root fs. 16allow shell rootfs:dir r_dir_perms; 17 18# read files in /data/anr 19allow shell anr_data_file:dir r_dir_perms; 20allow shell anr_data_file:file r_file_perms; 21 22# Access /data/local/tmp. 23allow shell shell_data_file:dir create_dir_perms; 24allow shell shell_data_file:file create_file_perms; 25allow shell shell_data_file:file rx_file_perms; 26allow shell shell_data_file:lnk_file create_file_perms; 27 28# Access /data/local/tests. 29allow shell shell_test_data_file:dir create_dir_perms; 30allow shell shell_test_data_file:file create_file_perms; 31allow shell shell_test_data_file:file rx_file_perms; 32allow shell shell_test_data_file:lnk_file create_file_perms; 33allow shell shell_test_data_file:sock_file create_file_perms; 34 35# Read and delete from /data/local/traces. 36allow shell trace_data_file:file { r_file_perms unlink }; 37allow shell trace_data_file:dir { r_dir_perms remove_name write }; 38 39# Access /data/misc/profman. 40allow shell profman_dump_data_file:dir { write remove_name r_dir_perms }; 41allow shell profman_dump_data_file:file { unlink r_file_perms }; 42 43# Read/execute files in /data/nativetest 44userdebug_or_eng(` 45 allow shell nativetest_data_file:dir r_dir_perms; 46 allow shell nativetest_data_file:file rx_file_perms; 47') 48 49# adb bugreport 50unix_socket_connect(shell, dumpstate, dumpstate) 51 52allow shell devpts:chr_file rw_file_perms; 53allow shell tty_device:chr_file rw_file_perms; 54allow shell console_device:chr_file rw_file_perms; 55 56allow shell input_device:dir r_dir_perms; 57allow shell input_device:chr_file r_file_perms; 58 59r_dir_file(shell, system_file) 60allow shell system_file:file x_file_perms; 61allow shell toolbox_exec:file rx_file_perms; 62allow shell tzdatacheck_exec:file rx_file_perms; 63allow shell shell_exec:file rx_file_perms; 64allow shell zygote_exec:file rx_file_perms; 65 66r_dir_file(shell, apk_data_file) 67 68userdebug_or_eng(` 69 # "systrace --boot" support - allow boottrace service to run 70 allow shell boottrace_data_file:dir rw_dir_perms; 71 allow shell boottrace_data_file:file create_file_perms; 72') 73 74# allow shell access to services 75allow shell servicemanager:service_manager list; 76# don't allow shell to access GateKeeper service 77# TODO: why is this so broad? Tightening candidate? It needs at list: 78# - dumpstate_service (so it can receive dumpstate progress updates) 79allow shell { 80 service_manager_type 81 -apex_service 82 -dnsresolver_service 83 -gatekeeper_service 84 -incident_service 85 -installd_service 86 -iorapd_service 87 -netd_service 88 -system_suspend_control_internal_service 89 -system_suspend_control_service 90 -virtual_touchpad_service 91 -vold_service 92 -vr_hwc_service 93 -default_android_service 94}:service_manager find; 95allow shell dumpstate:binder call; 96 97# allow shell to get information from hwservicemanager 98# for instance, listing hardware services with lshal 99hwbinder_use(shell) 100allow shell hwservicemanager:hwservice_manager list; 101 102# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat. 103r_dir_file(shell, proc_net_type) 104 105allow shell { 106 proc_asound 107 proc_filesystems 108 proc_interrupts 109 proc_loadavg # b/124024827 110 proc_meminfo 111 proc_modules 112 proc_pid_max 113 proc_slabinfo 114 proc_stat 115 proc_timer 116 proc_uptime 117 proc_version 118 proc_vmstat 119 proc_zoneinfo 120}:file r_file_perms; 121 122# allow listing network interfaces under /sys/class/net. 123allow shell sysfs_net:dir r_dir_perms; 124 125r_dir_file(shell, cgroup) 126allow shell cgroup_desc_file:file r_file_perms; 127allow shell cgroup_desc_api_file:file r_file_perms; 128allow shell vendor_cgroup_desc_file:file r_file_perms; 129r_dir_file(shell, cgroup_v2) 130allow shell domain:dir { search open read getattr }; 131allow shell domain:{ file lnk_file } { open read getattr }; 132 133# statvfs() of /proc and other labeled filesystems 134# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay) 135allow shell { proc labeledfs }:filesystem getattr; 136 137# stat() of /dev 138allow shell device:dir getattr; 139 140# allow shell to read /proc/pid/attr/current for ps -Z 141allow shell domain:process getattr; 142 143# Allow pulling the SELinux policy for CTS purposes 144allow shell selinuxfs:dir r_dir_perms; 145allow shell selinuxfs:file r_file_perms; 146 147# enable shell domain to read/write files/dirs for bootchart data 148# User will creates the start and stop file via adb shell 149# and read other files created by init process under /data/bootchart 150allow shell bootchart_data_file:dir rw_dir_perms; 151allow shell bootchart_data_file:file create_file_perms; 152 153# Make sure strace works for the non-privileged shell user 154allow shell self:process ptrace; 155 156# allow shell to get battery info 157allow shell sysfs:dir r_dir_perms; 158allow shell sysfs_batteryinfo:dir r_dir_perms; 159allow shell sysfs_batteryinfo:file r_file_perms; 160 161# allow shell to list /sys/class/block/ to get storage type for CTS 162allow shell sysfs_block:dir r_dir_perms; 163 164# Allow access to ion memory allocation device. 165allow shell ion_device:chr_file rw_file_perms; 166 167# 168# filesystem test for insecure chr_file's is done 169# via a host side test 170# 171allow shell dev_type:dir r_dir_perms; 172allow shell dev_type:chr_file getattr; 173 174# /dev/fd is a symlink 175allow shell proc:lnk_file getattr; 176 177# 178# filesystem test for insucre blk_file's is done 179# via hostside test 180# 181allow shell dev_type:blk_file getattr; 182 183# read selinux policy files 184allow shell file_contexts_file:file r_file_perms; 185allow shell property_contexts_file:file r_file_perms; 186allow shell seapp_contexts_file:file r_file_perms; 187allow shell service_contexts_file:file r_file_perms; 188allow shell sepolicy_file:file r_file_perms; 189 190# Allow shell to start up vendor shell 191allow shell vendor_shell_exec:file rx_file_perms; 192 193# Everything is labeled as rootfs in recovery mode. Allow shell to 194# execute them. 195recovery_only(` 196 allow shell rootfs:file rx_file_perms; 197') 198 199### 200### Neverallow rules 201### 202 203# Do not allow shell to hard link to any files. 204# In particular, if shell hard links to app data 205# files, installd will not be able to guarantee the deletion 206# of the linked to file. Hard links also contribute to security 207# bugs, so we want to ensure the shell user never has this 208# capability. 209neverallow shell file_type:file link; 210 211# Do not allow privileged socket ioctl commands 212neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 213 214# limit shell access to sensitive char drivers to 215# only getattr required for host side test. 216neverallow shell { 217 fuse_device 218 hw_random_device 219 port_device 220}:chr_file ~getattr; 221 222# Limit shell to only getattr on blk devices for host side tests. 223neverallow shell dev_type:blk_file ~getattr; 224 225# b/30861057: Shell access to existing input devices is an abuse 226# vector. The shell user can inject events that look like they 227# originate from the touchscreen etc. 228# Everyone should have already moved to UiAutomation#injectInputEvent 229# if they are running instrumentation tests (i.e. CTS), Monkey for 230# their stress tests, and the input command (adb shell input ...) for 231# injecting swipes and things. 232neverallow shell input_device:chr_file no_w_file_perms; 233