| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # Domain for shell processes spawned by ADB or console service. |
| 2 | type shell, domain, mlstrustedsubject; |
| 3 | type shell_exec, system_file_type, exec_type, file_type; |
| 4 | |
| 5 | # Create and use network sockets. |
| 6 | net_domain(shell) |
| 7 | |
| 8 | # logcat |
| 9 | read_logd(shell) |
| 10 | control_logd(shell) |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 11 | |
| 12 | # Root fs. |
| 13 | allow shell rootfs:dir r_dir_perms; |
| 14 | |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 15 | # Access /data/local/tmp. |
| 16 | allow shell shell_data_file:dir create_dir_perms; |
| 17 | allow shell shell_data_file:file create_file_perms; |
| 18 | allow shell shell_data_file:file rx_file_perms; |
| 19 | allow shell shell_data_file:lnk_file create_file_perms; |
| 20 | |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 21 | allow shell devpts:chr_file rw_file_perms; |
| 22 | allow shell tty_device:chr_file rw_file_perms; |
| 23 | allow shell console_device:chr_file rw_file_perms; |
| 24 | |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 25 | r_dir_file(shell, system_file) |
| 26 | allow shell system_file:file x_file_perms; |
| 27 | allow shell toolbox_exec:file rx_file_perms; |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 28 | allow shell shell_exec:file rx_file_perms; |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 29 | |
| 30 | # allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat. |
| 31 | r_dir_file(shell, proc_net_type) |
| 32 | |
| 33 | allow shell { |
| 34 | proc_asound |
| 35 | proc_filesystems |
| 36 | proc_interrupts |
| 37 | proc_loadavg # b/124024827 |
| 38 | proc_meminfo |
| 39 | proc_modules |
| 40 | proc_pid_max |
| 41 | proc_slabinfo |
| 42 | proc_stat |
| 43 | proc_timer |
| 44 | proc_uptime |
| 45 | proc_version |
| 46 | proc_vmstat |
| 47 | proc_zoneinfo |
| 48 | }:file r_file_perms; |
| 49 | |
| 50 | # allow listing network interfaces under /sys/class/net. |
| 51 | allow shell sysfs_net:dir r_dir_perms; |
| 52 | |
| 53 | r_dir_file(shell, cgroup) |
| 54 | allow shell cgroup_desc_file:file r_file_perms; |
| 55 | allow shell cgroup_desc_api_file:file r_file_perms; |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 56 | r_dir_file(shell, cgroup_v2) |
| 57 | allow shell domain:dir { search open read getattr }; |
| 58 | allow shell domain:{ file lnk_file } { open read getattr }; |
| 59 | |
| 60 | # statvfs() of /proc and other labeled filesystems |
| 61 | # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay) |
| 62 | allow shell { proc labeledfs }:filesystem getattr; |
| 63 | |
| 64 | # stat() of /dev |
| 65 | allow shell device:dir getattr; |
| 66 | |
| 67 | # allow shell to read /proc/pid/attr/current for ps -Z |
| 68 | allow shell domain:process getattr; |
| 69 | |
| 70 | # Allow pulling the SELinux policy for CTS purposes |
| 71 | allow shell selinuxfs:dir r_dir_perms; |
| 72 | allow shell selinuxfs:file r_file_perms; |
| 73 | |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 74 | # /dev/fd is a symlink |
| 75 | allow shell proc:lnk_file getattr; |
| 76 | |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 77 | # read selinux policy files |
| 78 | allow shell file_contexts_file:file r_file_perms; |
| 79 | allow shell property_contexts_file:file r_file_perms; |
| 80 | allow shell seapp_contexts_file:file r_file_perms; |
| 81 | allow shell service_contexts_file:file r_file_perms; |
| 82 | allow shell sepolicy_file:file r_file_perms; |