Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2^! / . / shelldomain.te
commit712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2[log] [tgz]
authorStephen Smalley <sds@tycho.nsa.gov>Wed Oct 23 13:25:53 2013 -0400
committerStephen Smalley <sds@tycho.nsa.gov>Wed Dec 18 09:37:52 2013 -0500
tree5ee8c7697924b1d8d832ea0cec05464eaf9f5303
parent09e6abd91b3aaaa11a44d032e095360c64a97b3a [diff] [blame]
Confine shell domain in -user builds only.

Confine the domain for an adb shell in -user builds only.
The shell domain in non-user builds is left permissive.
init_shell (shell spawned by init, e.g.  console service)
remains unconfined by this change.
Introduce a shelldomain attribute for rules common to all shell
domains, assign it to the shell types, and add shelldomain.te for
its rules.

Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

diff --git a/shelldomain.te b/shelldomain.te
new file mode 100644
index 0000000..408e9da
--- /dev/null
+++ b/shelldomain.te

@@ -0,0 +1,40 @@
+# Rules for all shell domains (e.g. console service and adb shell).
+
+# Access /data/local/tmp.
+allow shelldomain shell_data_file:dir create_dir_perms;
+allow shelldomain shell_data_file:file create_file_perms;
+allow shelldomain shell_data_file:file rx_file_perms;
+
+# Access sdcard.
+allow shelldomain sdcard_type:dir rw_dir_perms;
+allow shelldomain sdcard_type:file create_file_perms;
+
+# adb bugreport
+unix_socket_connect(shelldomain, dumpstate, dumpstate)
+
+allow shelldomain rootfs:dir r_dir_perms;
+allow shelldomain devpts:chr_file rw_file_perms;
+allow shelldomain tty_device:chr_file rw_file_perms;
+allow shelldomain console_device:chr_file rw_file_perms;
+allow shelldomain input_device:chr_file rw_file_perms;
+allow shelldomain system_file:file x_file_perms;
+allow shelldomain shell_exec:file rx_file_perms;
+allow shelldomain zygote_exec:file rx_file_perms;
+
+r_dir_file(shelldomain, apk_data_file)
+allow shelldomain dalvikcache_data_file:file { write setattr };
+
+# Set properties.
+unix_socket_connect(shelldomain, property, init)
+allow shelldomain shell_prop:property_service set;
+allow shelldomain ctl_dumpstate_prop:property_service set;
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+r_dir_file(shelldomain, non_system_app_set)
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shelldomain app_data_file:dir search;
+
+# ps and ps -Z output for app processes.
+r_dir_file(shelldomain, appdomain)
+allow shelldomain appdomain:process getattr;