1typeattribute shell coredomain, mlstrustedsubject; 2 3# allow shell input injection 4allow shell uhid_device:chr_file rw_file_perms; 5 6# systrace support - allow atrace to run 7allow shell debugfs_tracing_debug:dir r_dir_perms; 8allow shell debugfs_tracing:dir r_dir_perms; 9allow shell debugfs_tracing:file rw_file_perms; 10allow shell debugfs_trace_marker:file getattr; 11allow shell atrace_exec:file rx_file_perms; 12 13userdebug_or_eng(` 14 allow shell debugfs_tracing_debug:file rw_file_perms; 15') 16 17# read config.gz for CTS purposes 18allow shell config_gz:file r_file_perms; 19 20# allow reading tombstones. users can already use bugreports to get those. 21allow shell tombstone_data_file:dir r_dir_perms; 22allow shell tombstone_data_file:file r_file_perms; 23 24# Run app_process. 25# XXX Transition into its own domain? 26app_domain(shell) 27 28# allow shell to call dumpsys storaged 29binder_call(shell, storaged) 30 31# Perform SELinux access checks, needed for CTS 32selinux_check_access(shell) 33selinux_check_context(shell) 34 35# Control Perfetto traced and obtain traces from it. 36# Needed for Studio and debugging. 37unix_socket_connect(shell, traced_consumer, traced) 38 39# Allow shell binaries to write trace data to Perfetto. Used for testing and 40# cmdline utils. 41perfetto_producer(shell) 42 43domain_auto_trans(shell, vendor_shell_exec, vendor_shell) 44 45# Allow shell to execute tradeinmode for testing. 46domain_auto_trans(shell, tradeinmode_exec, tradeinmode) 47 48# Allow shell binaries to exec the perfetto cmdline util and have that 49# transition into its own domain, so that it behaves consistently to 50# when exec()-d by statsd. 51domain_auto_trans(shell, perfetto_exec, perfetto) 52# Allow to send SIGINT to perfetto when daemonized. 53allow shell perfetto:process signal; 54 55# Allow shell to run adb shell cmd stats commands. Needed for CTS. 56binder_call(shell, statsd); 57 58# Allow shell to read and unlink traces stored in /data/misc/a11ytraces. 59userdebug_or_eng(` 60 allow shell accessibility_trace_data_file:dir rw_dir_perms; 61 allow shell accessibility_trace_data_file:file { r_file_perms unlink }; 62') 63 64# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces. 65allow shell perfetto_traces_data_file:dir rw_dir_perms; 66allow shell perfetto_traces_data_file:file { r_file_perms unlink }; 67# ... and /data/misc/perfetto-traces/bugreport/ . 68allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms; 69allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink }; 70# ... and /data/misc/perfetto-traces/profiling/ . 71allow shell perfetto_traces_profiling_data_file:dir rw_dir_perms; 72allow shell perfetto_traces_profiling_data_file:file { r_file_perms unlink }; 73 74# Allow shell to create/remove configs stored in /data/misc/perfetto-configs. 75allow shell perfetto_configs_data_file:dir rw_dir_perms; 76allow shell perfetto_configs_data_file:file create_file_perms; 77 78# Allow shell to run adb shell cmd gpu commands. 79binder_call(shell, gpuservice); 80 81# Allow shell to use atrace HAL 82hal_client_domain(shell, hal_atrace) 83 84# For hostside tests such as CTS listening ports test. 85allow shell proc_net_tcp_udp:file r_file_perms; 86 87# The dl.exec_linker* tests need to execute /system/bin/linker 88# b/124789393 89allow shell system_linker_exec:file rx_file_perms; 90 91# Renderscript host side tests depend on being able to execute 92# /system/bin/bcc (b/126388046) 93allow shell rs_exec:file rx_file_perms; 94 95# Allow (host-driven) ART run-tests to execute dex2oat, in order to 96# check ART's compiler. 97allow shell dex2oat_exec:file rx_file_perms; 98allow shell dex2oat_exec:lnk_file read; 99 100# Allow shell to start and comminicate with lpdumpd. 101set_prop(shell, lpdumpd_prop); 102binder_call(shell, lpdumpd) 103 104# Allow shell to set and read value of properties used for CTS tests of 105# userspace reboot 106set_prop(shell, userspace_reboot_test_prop) 107 108# Allow shell to set this property to disable charging. 109set_prop(shell, power_debug_prop) 110 111# Allow shell to set this property used for rollback tests 112set_prop(shell, rollback_test_prop) 113 114# Allow shell to set RKP properties for testing purposes 115set_prop(shell, remote_prov_prop) 116 117# Allow shell to enable 16 KB backcompat globally. 118set_prop(shell, bionic_linker_16kb_app_compat_prop) 119 120# Allow shell to disable compat in package manager 121set_prop(shell, pm_16kb_app_compat_prop) 122 123# Allow shell to get encryption policy of /data/local/tmp/, for CTS 124allowxperm shell shell_data_file:dir ioctl { 125 FS_IOC_GET_ENCRYPTION_POLICY 126 FS_IOC_GET_ENCRYPTION_POLICY_EX 127}; 128 129# Allow shell to execute simpleperf without a domain transition. 130allow shell simpleperf_exec:file rx_file_perms; 131 132userdebug_or_eng(` 133 # Allow shell to execute profcollectctl without a domain transition. 134 allow shell profcollectd_exec:file rx_file_perms; 135 136 # Allow shell to read profcollectd data files. 137 r_dir_file(shell, profcollectd_data_file) 138 139 # Allow to issue control commands to profcollectd binder service. 140 allow shell profcollectd:binder call; 141') 142 143# Allow shell to run remount command. 144allow shell remount_exec:file rx_file_perms; 145 146# Allow shell to call perf_event_open for profiling other shell processes, but 147# not the whole system. 148allow shell self:perf_event { open read write }; 149 150# Allow shell to read microdroid vendor image 151r_dir_file(shell, vendor_microdroid_file) 152 153# Allow shell to read /apex/apex-info-list.xml and the vendor apexes 154allow shell apex_info_file:file r_file_perms; 155allow shell vendor_apex_file:file r_file_perms; 156allow shell vendor_apex_file:dir r_dir_perms; 157allow shell vendor_apex_metadata_file:dir r_dir_perms; 158 159# Allow shell to read updated APEXes under /data/apex 160allow shell apex_data_file:dir search; 161allow shell staging_data_file:file r_file_perms; 162 163# Set properties. 164set_prop(shell, shell_prop) 165set_prop(shell, ctl_bugreport_prop) 166set_prop(shell, ctl_dumpstate_prop) 167set_prop(shell, dumpstate_prop) 168set_prop(shell, exported_dumpstate_prop) 169set_prop(shell, debug_prop) 170set_prop(shell, perf_drop_caches_prop) 171set_prop(shell, powerctl_prop) 172set_prop(shell, log_tag_prop) 173set_prop(shell, wifi_log_prop) 174# Allow shell to start/stop traced via the persist.traced.enable 175# property (which also takes care of /data/misc initialization). 176set_prop(shell, traced_enabled_prop) 177# adjust SELinux audit rates 178set_prop(shell, logd_auditrate_prop) 179# adjust is_loggable properties 180userdebug_or_eng(`set_prop(shell, log_prop)') 181# logpersist script 182userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') 183# Allow shell to start/stop heapprofd via the persist.heapprofd.enable 184# property. 185set_prop(shell, heapprofd_enabled_prop) 186# Allow shell to start/stop traced_perf via the persist.traced_perf.enable 187# property. 188set_prop(shell, traced_perf_enabled_prop) 189# Allow shell to start/stop gsid via ctl.start|stop|restart gsid. 190set_prop(shell, ctl_gsid_prop) 191set_prop(shell, ctl_snapuserd_prop) 192# Allow shell to start/stop prefetch 193set_prop(shell, ctl_prefetch_prop) 194# Allow shell to enable Dynamic System Update 195set_prop(shell, dynamic_system_prop) 196# Allow shell to mock an OTA using persist.pm.mock-upgrade 197set_prop(shell, mock_ota_prop) 198 199# Read device's serial number from system properties 200get_prop(shell, serialno_prop) 201 202# Allow shell to read the vendor security patch level for CTS 203get_prop(shell, vendor_security_patch_level_prop) 204 205# Read state of logging-related properties 206get_prop(shell, device_logging_prop) 207 208# Read state of boot reason properties 209get_prop(shell, bootloader_boot_reason_prop) 210get_prop(shell, last_boot_reason_prop) 211get_prop(shell, system_boot_reason_prop) 212 213# Allow shell to execute the remote key provisioning factory tool 214binder_call(shell, hal_keymint) 215# Allow shell to run the AVF RKP HAL during the execution of the remote key 216# provisioning factory tool. 217# TODO(b/351113293): Remove this once the AVF RKP HAL registration is moved to 218# a separate process. 219binder_call(shell, virtualizationservice) 220# Allow the shell to inspect whether AVF remote attestation is supported 221# through the system property. 222get_prop(shell, avf_virtualizationservice_prop) 223 224# Allow reading the outcome of perf_event_open LSM support test for CTS. 225get_prop(shell, init_perf_lsm_hooks_prop) 226 227# Allow shell to read boot image timestamps and fingerprints. 228get_prop(shell, build_bootimage_prop) 229 230# Allow shell to read odsign verification properties 231get_prop(shell, odsign_prop) 232 233userdebug_or_eng(`set_prop(shell, persist_debug_prop)') 234 235# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup. 236allow shell keystore2_key_contexts_file:file r_file_perms; 237 238# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests. 239allow shell shell_key:keystore2_key { delete rebind use get_info update }; 240 241# Allow shell to open and execute memfd files for minijail unit tests. 242userdebug_or_eng(` 243 allow shell appdomain_tmpfs:file { open execute_no_trans }; 244') 245 246# Allow shell to write db.log.detailed, db.log.slow_query_threshold* 247set_prop(shell, sqlite_log_prop) 248 249# Allow shell to write MTE properties even on user builds. 250set_prop(shell, arm64_memtag_prop) 251set_prop(shell, permissive_mte_prop) 252 253# Allow shell to write kcmdline properties even on user builds. 254set_prop(shell, kcmdline_prop) 255 256# Allow shell to read the dm-verity props on user builds. 257get_prop(shell, verity_status_prop) 258 259# Allow shell to read Virtual A/B related properties 260get_prop(shell, virtual_ab_prop) 261 262# Allow ReadDefaultFstab() for CTS. 263read_fstab(shell) 264 265# Allow shell read access to /apex/apex-info-list.xml for CTS. 266allow shell apex_info_file:file r_file_perms; 267 268# Let the shell user call virtualizationservice (and 269# virtualizationservice call back to shell) for debugging. 270virtualizationservice_use(shell) 271 272# Allow shell to set persist.wm.debug properties 273userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)') 274 275# Allow shell to write GWP-ASan properties even on user builds. 276set_prop(shell, gwp_asan_prop) 277 278# Allow shell to set persist.sysui.notification.builder_extras_override property 279userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)') 280# Allow shell to set persist.sysui.notification.ranking_update_ashmem property 281userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)') 282 283# Allow shell to read the build properties for attestation feature 284get_prop(shell, build_attestation_prop) 285 286# Allow shell to execute oatdump. 287# TODO (b/350628688): Remove this once it's safe to do so. 288allow shell oatdump_exec:file rx_file_perms; 289 290# Create and use network sockets. 291net_domain(shell) 292 293# logcat 294read_logd(shell) 295control_logd(shell) 296get_prop(shell, logd_prop) 297# logcat -L (directly, or via dumpstate) 298allow shell pstorefs:dir search; 299allow shell pstorefs:file r_file_perms; 300 301# Root fs. 302allow shell rootfs:dir r_dir_perms; 303 304# read files in /data/anr 305allow shell anr_data_file:dir r_dir_perms; 306allow shell anr_data_file:file r_file_perms; 307 308# Access /data/local/tmp. 309allow shell shell_data_file:dir create_dir_perms; 310allow shell shell_data_file:file create_file_perms; 311allow shell shell_data_file:file rx_file_perms; 312allow shell shell_data_file:lnk_file create_file_perms; 313 314# Access /data/local/tests. 315allow shell shell_test_data_file:dir create_dir_perms; 316allow shell shell_test_data_file:file create_file_perms; 317allow shell shell_test_data_file:file rx_file_perms; 318allow shell shell_test_data_file:lnk_file create_file_perms; 319allow shell shell_test_data_file:sock_file create_file_perms; 320 321# Read and delete from /data/local/traces. 322allow shell trace_data_file:file { r_file_perms unlink }; 323allow shell trace_data_file:dir { r_dir_perms remove_name write }; 324 325# Access /data/misc/profman. 326allow shell profman_dump_data_file:dir { write remove_name r_dir_perms }; 327allow shell profman_dump_data_file:file { unlink r_file_perms }; 328 329# Read/execute files in /data/nativetest 330userdebug_or_eng(` 331 allow shell nativetest_data_file:dir r_dir_perms; 332 allow shell nativetest_data_file:file rx_file_perms; 333') 334 335# adb bugreport 336unix_socket_connect(shell, dumpstate, dumpstate) 337 338allow shell devpts:chr_file rw_file_perms; 339allow shell tty_device:chr_file rw_file_perms; 340allow shell console_device:chr_file rw_file_perms; 341 342allow shell input_device:dir r_dir_perms; 343allow shell input_device:chr_file r_file_perms; 344 345r_dir_file(shell, system_file) 346allow shell system_file:file x_file_perms; 347allow shell toolbox_exec:file rx_file_perms; 348allow shell shell_exec:file rx_file_perms; 349allow shell zygote_exec:file rx_file_perms; 350 351userdebug_or_eng(` 352 # "systrace --boot" support - allow boottrace service to run 353 allow shell boottrace_data_file:dir rw_dir_perms; 354 allow shell boottrace_data_file:file create_file_perms; 355') 356 357# allow shell access to services 358allow shell servicemanager:service_manager list; 359# don't allow shell to access GateKeeper service 360# TODO: why is this so broad? Tightening candidate? It needs at list: 361# - dumpstate_service (so it can receive dumpstate progress updates) 362allow shell { 363 service_manager_type 364 -apex_service 365 -dnsresolver_service 366 -gatekeeper_service 367 -hal_keymint_service 368 -hal_secureclock_service 369 -hal_sharedsecret_service 370 -incident_service 371 -installd_service 372 -mdns_service 373 -netd_service 374 -system_suspend_control_internal_service 375 -system_suspend_control_service 376 -virtual_touchpad_service 377 -vold_service 378 -default_android_service 379 -virtualization_service 380}:service_manager find; 381allow shell dumpstate:binder call; 382 383# allow shell to get information from hwservicemanager 384# for instance, listing hardware services with lshal 385hwbinder_use(shell) 386allow shell hwservicemanager:hwservice_manager list; 387 388# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat. 389r_dir_file(shell, proc_net_type) 390 391allow shell { 392 proc_asound 393 proc_cgroups 394 proc_filesystems 395 proc_interrupts 396 proc_loadavg # b/124024827 397 proc_meminfo 398 proc_modules 399 proc_pid_max 400 proc_slabinfo 401 proc_stat 402 proc_timer 403 proc_uptime 404 proc_version 405 proc_vmstat 406 proc_zoneinfo 407}:file r_file_perms; 408 409# allow listing network interfaces under /sys/class/net. 410allow shell sysfs_net:dir r_dir_perms; 411 412r_dir_file(shell, cgroup) 413allow shell cgroup_desc_file:file r_file_perms; 414allow shell vendor_cgroup_desc_file:file r_file_perms; 415r_dir_file(shell, cgroup_v2) 416allow shell domain:dir { search open read getattr }; 417allow shell domain:{ file lnk_file } { open read getattr }; 418 419# statvfs() of /proc and other labeled filesystems 420# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay) 421allow shell { proc labeledfs }:filesystem getattr; 422 423# stat() of /dev 424allow shell device:dir getattr; 425 426# allow shell to read /proc/pid/attr/current for ps -Z 427allow shell domain:process getattr; 428 429# Allow pulling the SELinux policy for CTS purposes 430allow shell selinuxfs:dir r_dir_perms; 431allow shell selinuxfs:file r_file_perms; 432 433# enable shell domain to read/write files/dirs for bootchart data 434# User will creates the start and stop file via adb shell 435# and read other files created by init process under /data/bootchart 436allow shell bootchart_data_file:dir rw_dir_perms; 437allow shell bootchart_data_file:file create_file_perms; 438 439# Make sure strace works for the non-privileged shell user 440allow shell self:process ptrace; 441 442# allow shell to get battery info 443allow shell sysfs:dir r_dir_perms; 444allow shell sysfs_batteryinfo:dir r_dir_perms; 445allow shell sysfs_batteryinfo:file r_file_perms; 446 447# Allow reads (but not writes) of the MGLRU state 448allow shell sysfs_lru_gen_enabled:file r_file_perms; 449 450# Allow reads (but not writes) of mem_sleep to determine suspend mechanism 451allow shell sysfs_mem_sleep:file r_file_perms; 452 453# Allow communicating with the VM terminal. 454userdebug_or_eng(` 455 allow shell vmlauncher_app_devpts:chr_file rw_file_perms; 456 allowxperm shell vmlauncher_app_devpts:chr_file ioctl unpriv_tty_ioctls; 457') 458 459# Allow CTS to check whether AVF debug policy is installed 460allow shell { proc_dt_avf sysfs_dt_avf }:dir search; 461 462# Allow access to ion memory allocation device. 463allow shell ion_device:chr_file rw_file_perms; 464 465# 466# filesystem test for insecure chr_file's is done 467# via a host side test 468# 469allow shell dev_type:dir r_dir_perms; 470allow shell dev_type:chr_file getattr; 471 472# /dev/fd is a symlink 473allow shell proc:lnk_file getattr; 474 475# 476# filesystem test for insucre blk_file's is done 477# via hostside test 478# 479allow shell dev_type:blk_file getattr; 480 481# read selinux policy files 482allow shell file_contexts_file:file r_file_perms; 483allow shell property_contexts_file:file r_file_perms; 484allow shell seapp_contexts_file:file r_file_perms; 485allow shell service_contexts_file:file r_file_perms; 486allow shell sepolicy_file:file r_file_perms; 487 488# Allow shell to start up vendor shell 489allow shell vendor_shell_exec:file rx_file_perms; 490 491is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` 492 allow shell linux_vm_setup_exec:file { entrypoint r_file_perms }; 493') 494 495allow shell tee_service_contexts_file:file r_file_perms; 496allow shell test_pkvm_tee_service:tee_service use; 497 498# Everything is labeled as rootfs in recovery mode. Allow shell to 499# execute them. 500recovery_only(` 501 allow shell rootfs:file rx_file_perms; 502') 503 504### 505### Neverallow rules 506### 507 508# Do not allow shell to talk directly to security HAL services other than 509# hal_remotelyprovisionedcomponent_service 510neverallow shell { 511 hal_keymint_service 512 hal_secureclock_service 513 hal_sharedsecret_service 514 virtualization_service 515}:service_manager find; 516 517# Do not allow shell to hard link to any files. 518# In particular, if shell hard links to app data 519# files, installd will not be able to guarantee the deletion 520# of the linked to file. Hard links also contribute to security 521# bugs, so we want to ensure the shell user never has this 522# capability. 523neverallow shell file_type:file link; 524 525# Do not allow privileged socket ioctl commands 526neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 527 528# limit shell access to sensitive char drivers to 529# only getattr required for host side test. 530neverallow shell { 531 fuse_device 532 hw_random_device 533 port_device 534}:chr_file ~getattr; 535 536# Limit shell to only getattr on blk devices for host side tests. 537neverallow shell dev_type:blk_file ~getattr; 538 539# b/30861057: Shell access to existing input devices is an abuse 540# vector. The shell user can inject events that look like they 541# originate from the touchscreen etc. 542# Everyone should have already moved to UiAutomation#injectInputEvent 543# if they are running instrumentation tests (i.e. CTS), Monkey for 544# their stress tests, and the input command (adb shell input ...) for 545# injecting swipes and things. 546neverallow shell input_device:chr_file no_w_file_perms; 547 548neverallow shell self:perf_event ~{ open read write kernel }; 549 550# Never allow others to set or get the perf.drop_caches property. 551neverallow { domain -shell -init } perf_drop_caches_prop:property_service set; 552neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read; 553