1# Domain for shell processes spawned by ADB or console service. 2type shell, domain, mlstrustedsubject; 3type shell_exec, exec_type, file_type; 4 5# Create and use network sockets. 6net_domain(shell) 7 8# logcat 9read_logd(shell) 10control_logd(shell) 11# logcat -L (directly, or via dumpstate) 12allow shell pstorefs:dir search; 13allow shell pstorefs:file r_file_perms; 14 15# Root fs. 16allow shell rootfs:dir r_dir_perms; 17 18# read files in /data/anr 19allow shell anr_data_file:dir r_dir_perms; 20allow shell anr_data_file:file r_file_perms; 21 22# Access /data/local/tmp. 23allow shell shell_data_file:dir create_dir_perms; 24allow shell shell_data_file:file create_file_perms; 25allow shell shell_data_file:file rx_file_perms; 26allow shell shell_data_file:lnk_file create_file_perms; 27 28# Access /data/misc/profman. 29allow shell profman_dump_data_file:dir { search getattr write remove_name }; 30allow shell profman_dump_data_file:file { getattr unlink }; 31 32# Read/execute files in /data/nativetest 33userdebug_or_eng(` 34 allow shell nativetest_data_file:dir r_dir_perms; 35 allow shell nativetest_data_file:file rx_file_perms; 36') 37 38# adb bugreport 39unix_socket_connect(shell, dumpstate, dumpstate) 40 41allow shell devpts:chr_file rw_file_perms; 42allow shell tty_device:chr_file rw_file_perms; 43allow shell console_device:chr_file rw_file_perms; 44allow shell input_device:dir r_dir_perms; 45allow shell input_device:chr_file rw_file_perms; 46r_dir_file(shell, system_file) 47allow shell system_file:file x_file_perms; 48allow shell toolbox_exec:file rx_file_perms; 49allow shell tzdatacheck_exec:file rx_file_perms; 50allow shell shell_exec:file rx_file_perms; 51allow shell zygote_exec:file rx_file_perms; 52 53r_dir_file(shell, apk_data_file) 54 55# Set properties. 56set_prop(shell, shell_prop) 57set_prop(shell, ctl_bugreport_prop) 58set_prop(shell, ctl_dumpstate_prop) 59set_prop(shell, dumpstate_prop) 60set_prop(shell, debug_prop) 61set_prop(shell, powerctl_prop) 62set_prop(shell, log_tag_prop) 63set_prop(shell, wifi_log_prop) 64# adjust is_loggable properties 65userdebug_or_eng(`set_prop(shell, log_prop)') 66# logpersist script 67userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') 68 69userdebug_or_eng(` 70 # "systrace --boot" support - allow boottrace service to run 71 allow shell boottrace_data_file:dir rw_dir_perms; 72 allow shell boottrace_data_file:file create_file_perms; 73 set_prop(shell, persist_debug_prop) 74') 75 76# Read device's serial number from system properties 77get_prop(shell, serialno_prop) 78 79# Read state of logging-related properties 80get_prop(shell, device_logging_prop) 81 82# allow shell access to services 83allow shell servicemanager:service_manager list; 84# don't allow shell to access GateKeeper service 85# TODO: why is this so broad? Tightening candidate? It needs at list: 86# - dumpstate_service (so it can receive dumpstate progress updates) 87allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find; 88allow shell dumpstate:binder call; 89 90# allow shell to get information from hwservicemanager 91# for instance, listing hardware services with lshal 92hwbinder_use(shell) 93allow shell hwservicemanager:hwservice_manager list; 94 95# allow shell to look through /proc/ for ps, top, netstat 96r_dir_file(shell, proc) 97r_dir_file(shell, proc_net) 98allow shell proc_interrupts:file r_file_perms; 99allow shell proc_meminfo:file r_file_perms; 100allow shell proc_stat:file r_file_perms; 101allow shell proc_timer:file r_file_perms; 102allow shell proc_zoneinfo:file r_file_perms; 103r_dir_file(shell, cgroup) 104allow shell domain:dir { search open read getattr }; 105allow shell domain:{ file lnk_file } { open read getattr }; 106 107# statvfs() of /proc and other labeled filesystems 108# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs) 109allow shell { proc labeledfs }:filesystem getattr; 110 111# stat() of /dev 112allow shell device:dir getattr; 113 114# allow shell to read /proc/pid/attr/current for ps -Z 115allow shell domain:process getattr; 116 117# Allow pulling the SELinux policy for CTS purposes 118allow shell selinuxfs:dir r_dir_perms; 119allow shell selinuxfs:file r_file_perms; 120 121# enable shell domain to read/write files/dirs for bootchart data 122# User will creates the start and stop file via adb shell 123# and read other files created by init process under /data/bootchart 124allow shell bootchart_data_file:dir rw_dir_perms; 125allow shell bootchart_data_file:file create_file_perms; 126 127# Make sure strace works for the non-privileged shell user 128allow shell self:process ptrace; 129 130# allow shell to get battery info 131allow shell sysfs_batteryinfo:file r_file_perms; 132allow shell sysfs:dir r_dir_perms; 133 134# Allow access to ion memory allocation device. 135allow shell ion_device:chr_file rw_file_perms; 136 137# 138# filesystem test for insecure chr_file's is done 139# via a host side test 140# 141allow shell dev_type:dir r_dir_perms; 142allow shell dev_type:chr_file getattr; 143 144# /dev/fd is a symlink 145allow shell proc:lnk_file getattr; 146 147# 148# filesystem test for insucre blk_file's is done 149# via hostside test 150# 151allow shell dev_type:blk_file getattr; 152 153# read selinux policy files 154allow shell file_contexts_file:file r_file_perms; 155allow shell property_contexts_file:file r_file_perms; 156allow shell seapp_contexts_file:file r_file_perms; 157allow shell service_contexts_file:file r_file_perms; 158allow shell sepolicy_file:file r_file_perms; 159 160### 161### Neverallow rules 162### 163 164# Do not allow shell to hard link to any files. 165# In particular, if shell hard links to app data 166# files, installd will not be able to guarantee the deletion 167# of the linked to file. Hard links also contribute to security 168# bugs, so we want to ensure the shell user never has this 169# capability. 170neverallow shell file_type:file link; 171 172# Do not allow privileged socket ioctl commands 173neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 174 175# limit shell access to sensitive char drivers to 176# only getattr required for host side test. 177neverallow shell { 178 fuse_device 179 hw_random_device 180 kmem_device 181 port_device 182}:chr_file ~getattr; 183 184# Limit shell to only getattr on blk devices for host side tests. 185neverallow shell dev_type:blk_file ~getattr; 186