Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # Domain for shell processes spawned by ADB or console service. |
| 2 | type shell, domain, mlstrustedsubject; |
| 3 | type shell_exec, system_file_type, exec_type, file_type; |
| 4 | |
| 5 | # Create and use network sockets. |
| 6 | net_domain(shell) |
| 7 | |
| 8 | # logcat |
| 9 | read_logd(shell) |
| 10 | control_logd(shell) |
| 11 | # logcat -L (directly, or via dumpstate) |
| 12 | allow shell pstorefs:dir search; |
| 13 | allow shell pstorefs:file r_file_perms; |
| 14 | |
| 15 | # Root fs. |
| 16 | allow shell rootfs:dir r_dir_perms; |
| 17 | |
| 18 | # read files in /data/anr |
| 19 | allow shell anr_data_file:dir r_dir_perms; |
| 20 | allow shell anr_data_file:file r_file_perms; |
| 21 | |
| 22 | # Access /data/local/tmp. |
| 23 | allow shell shell_data_file:dir create_dir_perms; |
| 24 | allow shell shell_data_file:file create_file_perms; |
| 25 | allow shell shell_data_file:file rx_file_perms; |
| 26 | allow shell shell_data_file:lnk_file create_file_perms; |
| 27 | |
| 28 | # Access /data/local/tests. |
| 29 | allow shell shell_test_data_file:dir create_dir_perms; |
| 30 | allow shell shell_test_data_file:file create_file_perms; |
| 31 | allow shell shell_test_data_file:file rx_file_perms; |
| 32 | allow shell shell_test_data_file:lnk_file create_file_perms; |
| 33 | allow shell shell_test_data_file:sock_file create_file_perms; |
| 34 | |
| 35 | # Read and delete from /data/local/traces. |
| 36 | allow shell trace_data_file:file { r_file_perms unlink }; |
| 37 | allow shell trace_data_file:dir { r_dir_perms remove_name write }; |
| 38 | |
| 39 | # Access /data/misc/profman. |
| 40 | allow shell profman_dump_data_file:dir { write remove_name r_dir_perms }; |
| 41 | allow shell profman_dump_data_file:file { unlink r_file_perms }; |
| 42 | |
| 43 | # Read/execute files in /data/nativetest |
| 44 | userdebug_or_eng(` |
| 45 | allow shell nativetest_data_file:dir r_dir_perms; |
| 46 | allow shell nativetest_data_file:file rx_file_perms; |
| 47 | ') |
| 48 | |
| 49 | # adb bugreport |
| 50 | unix_socket_connect(shell, dumpstate, dumpstate) |
| 51 | |
| 52 | allow shell devpts:chr_file rw_file_perms; |
| 53 | allow shell tty_device:chr_file rw_file_perms; |
| 54 | allow shell console_device:chr_file rw_file_perms; |
| 55 | |
| 56 | allow shell input_device:dir r_dir_perms; |
| 57 | allow shell input_device:chr_file r_file_perms; |
| 58 | |
| 59 | r_dir_file(shell, system_file) |
| 60 | allow shell system_file:file x_file_perms; |
| 61 | allow shell toolbox_exec:file rx_file_perms; |
| 62 | allow shell tzdatacheck_exec:file rx_file_perms; |
| 63 | allow shell shell_exec:file rx_file_perms; |
| 64 | allow shell zygote_exec:file rx_file_perms; |
| 65 | |
| 66 | r_dir_file(shell, apk_data_file) |
| 67 | |
| 68 | userdebug_or_eng(` |
| 69 | # "systrace --boot" support - allow boottrace service to run |
| 70 | allow shell boottrace_data_file:dir rw_dir_perms; |
| 71 | allow shell boottrace_data_file:file create_file_perms; |
| 72 | ') |
| 73 | |
| 74 | # allow shell access to services |
| 75 | allow shell servicemanager:service_manager list; |
| 76 | # don't allow shell to access GateKeeper service |
| 77 | # TODO: why is this so broad? Tightening candidate? It needs at list: |
| 78 | # - dumpstate_service (so it can receive dumpstate progress updates) |
| 79 | allow shell { |
| 80 | service_manager_type |
| 81 | -apex_service |
| 82 | -dnsresolver_service |
| 83 | -gatekeeper_service |
| 84 | -incident_service |
| 85 | -installd_service |
| 86 | -iorapd_service |
| 87 | -netd_service |
| 88 | -system_suspend_control_internal_service |
| 89 | -system_suspend_control_service |
| 90 | -virtual_touchpad_service |
| 91 | -vold_service |
| 92 | -vr_hwc_service |
| 93 | -default_android_service |
| 94 | }:service_manager find; |
| 95 | allow shell dumpstate:binder call; |
| 96 | |
| 97 | # allow shell to get information from hwservicemanager |
| 98 | # for instance, listing hardware services with lshal |
| 99 | hwbinder_use(shell) |
| 100 | allow shell hwservicemanager:hwservice_manager list; |
| 101 | |
| 102 | # allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat. |
| 103 | r_dir_file(shell, proc_net_type) |
| 104 | |
| 105 | allow shell { |
| 106 | proc_asound |
| 107 | proc_filesystems |
| 108 | proc_interrupts |
| 109 | proc_loadavg # b/124024827 |
| 110 | proc_meminfo |
| 111 | proc_modules |
| 112 | proc_pid_max |
| 113 | proc_slabinfo |
| 114 | proc_stat |
| 115 | proc_timer |
| 116 | proc_uptime |
| 117 | proc_version |
| 118 | proc_vmstat |
| 119 | proc_zoneinfo |
| 120 | }:file r_file_perms; |
| 121 | |
| 122 | # allow listing network interfaces under /sys/class/net. |
| 123 | allow shell sysfs_net:dir r_dir_perms; |
| 124 | |
| 125 | r_dir_file(shell, cgroup) |
| 126 | allow shell cgroup_desc_file:file r_file_perms; |
| 127 | allow shell cgroup_desc_api_file:file r_file_perms; |
| 128 | allow shell vendor_cgroup_desc_file:file r_file_perms; |
| 129 | r_dir_file(shell, cgroup_v2) |
| 130 | allow shell domain:dir { search open read getattr }; |
| 131 | allow shell domain:{ file lnk_file } { open read getattr }; |
| 132 | |
| 133 | # statvfs() of /proc and other labeled filesystems |
| 134 | # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay) |
| 135 | allow shell { proc labeledfs }:filesystem getattr; |
| 136 | |
| 137 | # stat() of /dev |
| 138 | allow shell device:dir getattr; |
| 139 | |
| 140 | # allow shell to read /proc/pid/attr/current for ps -Z |
| 141 | allow shell domain:process getattr; |
| 142 | |
| 143 | # Allow pulling the SELinux policy for CTS purposes |
| 144 | allow shell selinuxfs:dir r_dir_perms; |
| 145 | allow shell selinuxfs:file r_file_perms; |
| 146 | |
| 147 | # enable shell domain to read/write files/dirs for bootchart data |
| 148 | # User will creates the start and stop file via adb shell |
| 149 | # and read other files created by init process under /data/bootchart |
| 150 | allow shell bootchart_data_file:dir rw_dir_perms; |
| 151 | allow shell bootchart_data_file:file create_file_perms; |
| 152 | |
| 153 | # Make sure strace works for the non-privileged shell user |
| 154 | allow shell self:process ptrace; |
| 155 | |
| 156 | # allow shell to get battery info |
| 157 | allow shell sysfs:dir r_dir_perms; |
| 158 | allow shell sysfs_batteryinfo:dir r_dir_perms; |
| 159 | allow shell sysfs_batteryinfo:file r_file_perms; |
| 160 | |
| 161 | # Allow access to ion memory allocation device. |
| 162 | allow shell ion_device:chr_file rw_file_perms; |
| 163 | |
| 164 | # |
| 165 | # filesystem test for insecure chr_file's is done |
| 166 | # via a host side test |
| 167 | # |
| 168 | allow shell dev_type:dir r_dir_perms; |
| 169 | allow shell dev_type:chr_file getattr; |
| 170 | |
| 171 | # /dev/fd is a symlink |
| 172 | allow shell proc:lnk_file getattr; |
| 173 | |
| 174 | # |
| 175 | # filesystem test for insucre blk_file's is done |
| 176 | # via hostside test |
| 177 | # |
| 178 | allow shell dev_type:blk_file getattr; |
| 179 | |
| 180 | # read selinux policy files |
| 181 | allow shell file_contexts_file:file r_file_perms; |
| 182 | allow shell property_contexts_file:file r_file_perms; |
| 183 | allow shell seapp_contexts_file:file r_file_perms; |
| 184 | allow shell service_contexts_file:file r_file_perms; |
| 185 | allow shell sepolicy_file:file r_file_perms; |
| 186 | |
| 187 | # Allow shell to start up vendor shell |
| 188 | allow shell vendor_shell_exec:file rx_file_perms; |
| 189 | |
| 190 | # Everything is labeled as rootfs in recovery mode. Allow shell to |
| 191 | # execute them. |
| 192 | recovery_only(` |
| 193 | allow shell rootfs:file rx_file_perms; |
| 194 | ') |
| 195 | |
| 196 | ### |
| 197 | ### Neverallow rules |
| 198 | ### |
| 199 | |
| 200 | # Do not allow shell to hard link to any files. |
| 201 | # In particular, if shell hard links to app data |
| 202 | # files, installd will not be able to guarantee the deletion |
| 203 | # of the linked to file. Hard links also contribute to security |
| 204 | # bugs, so we want to ensure the shell user never has this |
| 205 | # capability. |
| 206 | neverallow shell file_type:file link; |
| 207 | |
| 208 | # Do not allow privileged socket ioctl commands |
| 209 | neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; |
| 210 | |
| 211 | # limit shell access to sensitive char drivers to |
| 212 | # only getattr required for host side test. |
| 213 | neverallow shell { |
| 214 | fuse_device |
| 215 | hw_random_device |
| 216 | port_device |
| 217 | }:chr_file ~getattr; |
| 218 | |
| 219 | # Limit shell to only getattr on blk devices for host side tests. |
| 220 | neverallow shell dev_type:blk_file ~getattr; |
| 221 | |
| 222 | # b/30861057: Shell access to existing input devices is an abuse |
| 223 | # vector. The shell user can inject events that look like they |
| 224 | # originate from the touchscreen etc. |
| 225 | # Everyone should have already moved to UiAutomation#injectInputEvent |
| 226 | # if they are running instrumentation tests (i.e. CTS), Monkey for |
| 227 | # their stress tests, and the input command (adb shell input ...) for |
| 228 | # injecting swipes and things. |
| 229 | neverallow shell input_device:chr_file no_w_file_perms; |