blob: 0609f94a6b2b607c8427658e0e774fd409383511 [file] [log] [blame]
Alan Stokes81e4e872020-02-11 14:43:05 +00001typeattribute shell coredomain, mlstrustedsubject;
Alex Klyubinf5446eb2017-03-23 14:27:32 -07002
Siarhei Vishniakou2a7f5712017-05-10 19:37:06 -07003# allow shell input injection
4allow shell uhid_device:chr_file rw_file_perms;
5
dcashman2e00e632016-10-12 14:58:09 -07006# systrace support - allow atrace to run
Carmen Jackson2c8ca452018-01-30 18:14:45 -08007allow shell debugfs_tracing_debug:dir r_dir_perms;
dcashman2e00e632016-10-12 14:58:09 -07008allow shell debugfs_tracing:dir r_dir_perms;
Joel Galenson27c0aa72017-07-26 16:22:50 -07009allow shell debugfs_tracing:file rw_file_perms;
dcashman2e00e632016-10-12 14:58:09 -070010allow shell debugfs_trace_marker:file getattr;
11allow shell atrace_exec:file rx_file_perms;
12
Carmen Jackson25788df2017-04-14 12:12:50 -070013userdebug_or_eng(`
Joel Galenson47966ce2017-07-27 09:50:25 -070014 allow shell debugfs_tracing_debug:file rw_file_perms;
Carmen Jackson25788df2017-04-14 12:12:50 -070015')
16
Carmen Jackson2c8ca452018-01-30 18:14:45 -080017# read config.gz for CTS purposes
18allow shell config_gz:file r_file_perms;
19
Florian Mayer6c689e82024-02-14 10:54:58 -080020# allow reading tombstones. users can already use bugreports to get those.
21allow shell tombstone_data_file:dir r_dir_perms;
22allow shell tombstone_data_file:file r_file_perms;
23
dcashman3e8dbf02016-12-08 11:23:34 -080024# Run app_process.
25# XXX Transition into its own domain?
26app_domain(shell)
Jin Qiana239f302017-03-23 12:28:20 -070027
28# allow shell to call dumpsys storaged
29binder_call(shell, storaged)
Nick Kralevich14e2e922017-05-08 09:51:59 -070030
31# Perform SELinux access checks, needed for CTS
32selinux_check_access(shell)
33selinux_check_context(shell)
Primiano Tuccic80f9e02017-12-21 03:51:15 +010034
35# Control Perfetto traced and obtain traces from it.
36# Needed for Studio and debugging.
37unix_socket_connect(shell, traced_consumer, traced)
38
39# Allow shell binaries to write trace data to Perfetto. Used for testing and
40# cmdline utils.
Florian Mayer5e522812019-10-08 16:15:14 +010041perfetto_producer(shell)
Yifan Hong00ab5d82018-01-11 11:01:30 -080042
43domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
Primiano Tucci1a9f4f72018-01-24 16:07:09 +000044
David Anderson51bf1e42024-11-19 20:27:38 -080045# Allow shell to execute tradeinmode for testing.
46domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
David Andersonbad9ca12024-10-28 15:23:35 -070047
Primiano Tucci1a9f4f72018-01-24 16:07:09 +000048# Allow shell binaries to exec the perfetto cmdline util and have that
49# transition into its own domain, so that it behaves consistently to
50# when exec()-d by statsd.
51domain_auto_trans(shell, perfetto_exec, perfetto)
Florian Mayeraeca04b2018-12-06 13:28:01 +000052# Allow to send SIGINT to perfetto when daemonized.
53allow shell perfetto:process signal;
Primiano Tucci1a9f4f72018-01-24 16:07:09 +000054
Bookatz022ab0e2018-02-13 09:33:36 -080055# Allow shell to run adb shell cmd stats commands. Needed for CTS.
56binder_call(shell, statsd);
57
Hongming Jin58f83412021-02-09 12:03:40 -080058# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
59userdebug_or_eng(`
60 allow shell accessibility_trace_data_file:dir rw_dir_perms;
61 allow shell accessibility_trace_data_file:file { r_file_perms unlink };
62')
63
Primiano Tucci1a9f4f72018-01-24 16:07:09 +000064# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
65allow shell perfetto_traces_data_file:dir rw_dir_perms;
Florian Mayerc069bc12019-09-30 11:09:45 +010066allow shell perfetto_traces_data_file:file { r_file_perms unlink };
Primiano Tucci2bb85872021-01-18 09:26:57 +000067# ... and /data/misc/perfetto-traces/bugreport/ .
68allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
69allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
Fan Xu26fa9142018-09-17 17:06:19 -070070
Primiano Tucci512bdb92020-10-13 21:13:09 +010071# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
72allow shell perfetto_configs_data_file:dir rw_dir_perms;
73allow shell perfetto_configs_data_file:file create_file_perms;
74
Yiwei Zhangff0f79c2018-11-27 15:21:43 -080075# Allow shell to run adb shell cmd gpu commands.
76binder_call(shell, gpuservice);
77
Wei Wangbc71a612018-09-19 16:06:28 -070078# Allow shell to use atrace HAL
79hal_client_domain(shell, hal_atrace)
Jeff Vander Stoep42451772018-09-28 10:55:14 -070080
81# For hostside tests such as CTS listening ports test.
82allow shell proc_net_tcp_udp:file r_file_perms;
Nick Kralevich905b4002019-02-25 15:11:40 -080083
84# The dl.exec_linker* tests need to execute /system/bin/linker
85# b/124789393
86allow shell system_linker_exec:file rx_file_perms;
Nick Kralevich68e27ca2019-02-26 12:30:42 -080087
88# Renderscript host side tests depend on being able to execute
89# /system/bin/bcc (b/126388046)
90allow shell rs_exec:file rx_file_perms;
Yifan Hong18ade862019-03-14 15:45:03 -070091
Roland Levillain06bee182020-11-02 13:52:54 +000092# Allow (host-driven) ART run-tests to execute dex2oat, in order to
93# check ART's compiler.
94allow shell dex2oat_exec:file rx_file_perms;
Martin Stjernholm1e0b4a52022-04-14 17:42:11 +010095allow shell dex2oat_exec:lnk_file read;
Roland Levillain06bee182020-11-02 13:52:54 +000096
Yifan Hong18ade862019-03-14 15:45:03 -070097# Allow shell to start and comminicate with lpdumpd.
98set_prop(shell, lpdumpd_prop);
99binder_call(shell, lpdumpd)
Kiyoung Kim82c87ed2019-08-09 14:20:34 +0900100
Nikita Ioffe91c37952020-03-12 14:45:00 +0000101# Allow shell to set and read value of properties used for CTS tests of
102# userspace reboot
103set_prop(shell, userspace_reboot_test_prop)
104
Michael Rosenfeld5425c872021-11-17 15:48:47 -0800105# Allow shell to set this property to disable charging.
106set_prop(shell, power_debug_prop)
107
JW Wang0f8cf042021-02-24 14:29:06 +0800108# Allow shell to set this property used for rollback tests
109set_prop(shell, rollback_test_prop)
110
Seth Moored3bd6862023-02-24 11:50:51 -0800111# Allow shell to set RKP properties for testing purposes
112set_prop(shell, remote_prov_prop)
113
Steven Morelande7400802024-10-19 00:06:33 +0000114# Allow shell to enable 16 KB backcompat globally.
115set_prop(shell, bionic_linker_16kb_app_compat_prop)
116
Eric Biggersb57af5d2019-09-27 13:33:27 -0700117# Allow shell to get encryption policy of /data/local/tmp/, for CTS
118allowxperm shell shell_data_file:dir ioctl {
119 FS_IOC_GET_ENCRYPTION_POLICY
120 FS_IOC_GET_ENCRYPTION_POLICY_EX
121};
Ryan Savitskiffa0dd92020-01-10 19:02:43 +0000122
123# Allow shell to execute simpleperf without a domain transition.
124allow shell simpleperf_exec:file rx_file_perms;
125
Yi Kongb7bb6492021-07-27 17:06:50 +0800126userdebug_or_eng(`
127 # Allow shell to execute profcollectctl without a domain transition.
128 allow shell profcollectd_exec:file rx_file_perms;
129
130 # Allow shell to read profcollectd data files.
131 r_dir_file(shell, profcollectd_data_file)
132
133 # Allow to issue control commands to profcollectd binder service.
134 allow shell profcollectd:binder call;
135')
Yi Kong45551232020-09-01 01:54:01 +0800136
Yi-Yo Chiang686d7792022-11-01 15:08:09 +0800137# Allow shell to run remount command.
138allow shell remount_exec:file rx_file_perms;
139
Ryan Savitskiffa0dd92020-01-10 19:02:43 +0000140# Allow shell to call perf_event_open for profiling other shell processes, but
141# not the whole system.
142allow shell self:perf_event { open read write kernel };
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900143
Seungjae Yood2a08922023-11-15 17:59:30 +0900144# Allow shell to read microdroid vendor image
145r_dir_file(shell, vendor_microdroid_file)
146
Jiyong Parkabdc9732021-06-14 08:30:43 +0900147# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
Tej Singh75385ef2021-06-07 13:27:52 -0700148allow shell apex_info_file:file r_file_perms;
Jiyong Parkabdc9732021-06-14 08:30:43 +0900149allow shell vendor_apex_file:file r_file_perms;
150allow shell vendor_apex_file:dir r_dir_perms;
Jooyung Hanb6211b82023-05-31 17:51:14 +0900151allow shell vendor_apex_metadata_file:dir r_dir_perms;
Tej Singh75385ef2021-06-07 13:27:52 -0700152
Alan Stokes54907522022-02-25 11:59:25 +0000153# Allow shell to read updated APEXes under /data/apex
154allow shell apex_data_file:dir search;
155allow shell staging_data_file:file r_file_perms;
156
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900157# Set properties.
158set_prop(shell, shell_prop)
159set_prop(shell, ctl_bugreport_prop)
160set_prop(shell, ctl_dumpstate_prop)
161set_prop(shell, dumpstate_prop)
162set_prop(shell, exported_dumpstate_prop)
163set_prop(shell, debug_prop)
Michael Rosenfeld3ccbebb2021-02-10 18:45:35 -0800164set_prop(shell, perf_drop_caches_prop)
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900165set_prop(shell, powerctl_prop)
166set_prop(shell, log_tag_prop)
167set_prop(shell, wifi_log_prop)
168# Allow shell to start/stop traced via the persist.traced.enable
169# property (which also takes care of /data/misc initialization).
170set_prop(shell, traced_enabled_prop)
Snild Dolkowef0f3692023-11-10 10:58:01 +0100171# adjust SELinux audit rates
172set_prop(shell, logd_auditrate_prop)
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900173# adjust is_loggable properties
174userdebug_or_eng(`set_prop(shell, log_prop)')
175# logpersist script
176userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
177# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
178# property.
179set_prop(shell, heapprofd_enabled_prop)
180# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
181# property.
182set_prop(shell, traced_perf_enabled_prop)
183# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
184set_prop(shell, ctl_gsid_prop)
David Anderson09bb9442020-11-13 00:45:59 -0800185set_prop(shell, ctl_snapuserd_prop)
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900186# Allow shell to enable Dynamic System Update
187set_prop(shell, dynamic_system_prop)
188# Allow shell to mock an OTA using persist.pm.mock-upgrade
189set_prop(shell, mock_ota_prop)
190
191# Read device's serial number from system properties
192get_prop(shell, serialno_prop)
193
194# Allow shell to read the vendor security patch level for CTS
195get_prop(shell, vendor_security_patch_level_prop)
196
197# Read state of logging-related properties
198get_prop(shell, device_logging_prop)
199
200# Read state of boot reason properties
201get_prop(shell, bootloader_boot_reason_prop)
202get_prop(shell, last_boot_reason_prop)
203get_prop(shell, system_boot_reason_prop)
204
Max Bires4d3dcd62022-10-07 12:51:15 -0700205# Allow shell to execute the remote key provisioning factory tool
206binder_call(shell, hal_keymint)
Alice Wang4877bed2024-06-27 14:12:10 +0000207# Allow shell to run the AVF RKP HAL during the execution of the remote key
208# provisioning factory tool.
209# TODO(b/351113293): Remove this once the AVF RKP HAL registration is moved to
210# a separate process.
211binder_call(shell, virtualizationservice)
Alice Wang6d3e6132024-08-05 09:55:16 +0000212# Allow the shell to inspect whether AVF remote attestation is supported
213# through the system property.
214get_prop(shell, avf_virtualizationservice_prop)
Max Bires4d3dcd62022-10-07 12:51:15 -0700215
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900216# Allow reading the outcome of perf_event_open LSM support test for CTS.
217get_prop(shell, init_perf_lsm_hooks_prop)
218
Yifan Hong6bb5a762020-10-06 17:52:17 -0700219# Allow shell to read boot image timestamps and fingerprints.
220get_prop(shell, build_bootimage_prop)
221
Martijn Coenenfd6d7082021-08-05 15:11:04 +0200222# Allow shell to read odsign verification properties
223get_prop(shell, odsign_prop)
224
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900225userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
Peiyong Lin37dea072020-06-03 12:20:41 -0700226
Janis Danisevskis47f37612020-07-27 13:07:39 -0700227# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
228allow shell keystore2_key_contexts_file:file r_file_perms;
229
230# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
Janis Danisevskised96f5c2020-09-24 08:55:28 -0700231allow shell shell_key:keystore2_key { delete rebind use get_info update };
Inseob Kim0cef0fe2020-11-17 13:54:52 +0900232
Allen Webbcda514a2021-07-19 14:32:41 -0700233# Allow shell to open and execute memfd files for minijail unit tests.
234userdebug_or_eng(`
235 allow shell appdomain_tmpfs:file { open execute_no_trans };
236')
237
Inseob Kim0cef0fe2020-11-17 13:54:52 +0900238# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
239set_prop(shell, sqlite_log_prop)
Mitch Phillipseaf14042020-12-03 17:23:06 -0800240
241# Allow shell to write MTE properties even on user builds.
242set_prop(shell, arm64_memtag_prop)
Mitch Phillips98b3e4b2024-03-15 16:26:31 +0100243set_prop(shell, permissive_mte_prop)
Tianjiec3752cf2021-01-19 23:02:51 -0800244
Alice Ryhl6b9aa6d2024-02-21 15:18:14 +0000245# Allow shell to write kcmdline properties even on user builds.
246set_prop(shell, kcmdline_prop)
247
Tianjiec3752cf2021-01-19 23:02:51 -0800248# Allow shell to read the dm-verity props on user builds.
249get_prop(shell, verity_status_prop)
Yifan Honga18cf7e2021-02-17 12:06:12 -0800250
251# Allow shell to read Virtual A/B related properties
252get_prop(shell, virtual_ab_prop)
Michael Rosenfeld3ccbebb2021-02-10 18:45:35 -0800253
Yi-Yo Chiang694ab792021-04-09 13:39:20 +0800254# Allow ReadDefaultFstab() for CTS.
255read_fstab(shell)
Nikita Ioffe681ad262021-06-10 15:37:25 +0100256
257# Allow shell read access to /apex/apex-info-list.xml for CTS.
258allow shell apex_info_file:file r_file_perms;
Jiyong Parkf4083712021-07-10 14:35:06 +0900259
Alan Stokes39f49702021-09-02 11:10:59 +0100260# Let the shell user call virtualizationservice (and
261# virtualizationservice call back to shell) for debugging.
262virtualizationservice_use(shell)
Evan Rosky5cfdf2b2022-03-02 22:13:58 +0000263
264# Allow shell to set persist.wm.debug properties
265userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
Mitch Phillips8cd32cd2022-03-22 15:59:57 -0700266
267# Allow shell to write GWP-ASan properties even on user builds.
268set_prop(shell, gwp_asan_prop)
Alexander Roederer829d9742023-03-23 02:19:22 +0000269
270# Allow shell to set persist.sysui.notification.builder_extras_override property
271userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
Alexander Roederer584a8622023-05-31 21:25:50 +0000272# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
273userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
Alexander Roederer829d9742023-03-23 02:19:22 +0000274
Wilson Sung679b7cb2023-09-12 11:24:05 +0800275# Allow shell to read the build properties for attestation feature
276get_prop(shell, build_attestation_prop)
277
Yu-Ting Tseng7dea3a32024-07-10 01:48:59 +0000278# Allow shell to execute oatdump.
Yu-Ting Tseng46e40492024-07-09 19:03:39 -0700279# TODO (b/350628688): Remove this once it's safe to do so.
Yu-Ting Tseng7dea3a32024-07-10 01:48:59 +0000280allow shell oatdump_exec:file rx_file_perms;
281
Inseob Kim75806ef2024-03-27 17:18:41 +0900282# Create and use network sockets.
283net_domain(shell)
284
285# logcat
286read_logd(shell)
287control_logd(shell)
288get_prop(shell, logd_prop)
289# logcat -L (directly, or via dumpstate)
290allow shell pstorefs:dir search;
291allow shell pstorefs:file r_file_perms;
292
293# Root fs.
294allow shell rootfs:dir r_dir_perms;
295
296# read files in /data/anr
297allow shell anr_data_file:dir r_dir_perms;
298allow shell anr_data_file:file r_file_perms;
299
300# Access /data/local/tmp.
301allow shell shell_data_file:dir create_dir_perms;
302allow shell shell_data_file:file create_file_perms;
303allow shell shell_data_file:file rx_file_perms;
304allow shell shell_data_file:lnk_file create_file_perms;
305
306# Access /data/local/tests.
307allow shell shell_test_data_file:dir create_dir_perms;
308allow shell shell_test_data_file:file create_file_perms;
309allow shell shell_test_data_file:file rx_file_perms;
310allow shell shell_test_data_file:lnk_file create_file_perms;
311allow shell shell_test_data_file:sock_file create_file_perms;
312
313# Read and delete from /data/local/traces.
314allow shell trace_data_file:file { r_file_perms unlink };
315allow shell trace_data_file:dir { r_dir_perms remove_name write };
316
317# Access /data/misc/profman.
318allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
319allow shell profman_dump_data_file:file { unlink r_file_perms };
320
321# Read/execute files in /data/nativetest
322userdebug_or_eng(`
323 allow shell nativetest_data_file:dir r_dir_perms;
324 allow shell nativetest_data_file:file rx_file_perms;
325')
326
327# adb bugreport
328unix_socket_connect(shell, dumpstate, dumpstate)
329
330allow shell devpts:chr_file rw_file_perms;
331allow shell tty_device:chr_file rw_file_perms;
332allow shell console_device:chr_file rw_file_perms;
333
334allow shell input_device:dir r_dir_perms;
335allow shell input_device:chr_file r_file_perms;
336
337r_dir_file(shell, system_file)
338allow shell system_file:file x_file_perms;
339allow shell toolbox_exec:file rx_file_perms;
340allow shell shell_exec:file rx_file_perms;
341allow shell zygote_exec:file rx_file_perms;
342
343userdebug_or_eng(`
344 # "systrace --boot" support - allow boottrace service to run
345 allow shell boottrace_data_file:dir rw_dir_perms;
346 allow shell boottrace_data_file:file create_file_perms;
347')
348
349# allow shell access to services
350allow shell servicemanager:service_manager list;
351# don't allow shell to access GateKeeper service
352# TODO: why is this so broad? Tightening candidate? It needs at list:
353# - dumpstate_service (so it can receive dumpstate progress updates)
354allow shell {
355 service_manager_type
356 -apex_service
357 -dnsresolver_service
358 -gatekeeper_service
359 -hal_keymint_service
360 -hal_secureclock_service
361 -hal_sharedsecret_service
362 -incident_service
363 -installd_service
364 -mdns_service
365 -netd_service
366 -system_suspend_control_internal_service
367 -system_suspend_control_service
368 -virtual_touchpad_service
369 -vold_service
370 -default_android_service
Alice Wang4877bed2024-06-27 14:12:10 +0000371 -virtualization_service
Inseob Kim75806ef2024-03-27 17:18:41 +0900372}:service_manager find;
373allow shell dumpstate:binder call;
374
375# allow shell to get information from hwservicemanager
376# for instance, listing hardware services with lshal
377hwbinder_use(shell)
378allow shell hwservicemanager:hwservice_manager list;
379
380# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
381r_dir_file(shell, proc_net_type)
382
383allow shell {
384 proc_asound
T.J. Mercier716260a2024-04-26 18:28:28 +0000385 proc_cgroups
Inseob Kim75806ef2024-03-27 17:18:41 +0900386 proc_filesystems
387 proc_interrupts
388 proc_loadavg # b/124024827
389 proc_meminfo
390 proc_modules
391 proc_pid_max
392 proc_slabinfo
393 proc_stat
394 proc_timer
395 proc_uptime
396 proc_version
397 proc_vmstat
398 proc_zoneinfo
399}:file r_file_perms;
400
401# allow listing network interfaces under /sys/class/net.
402allow shell sysfs_net:dir r_dir_perms;
403
404r_dir_file(shell, cgroup)
405allow shell cgroup_desc_file:file r_file_perms;
Inseob Kim75806ef2024-03-27 17:18:41 +0900406allow shell vendor_cgroup_desc_file:file r_file_perms;
407r_dir_file(shell, cgroup_v2)
408allow shell domain:dir { search open read getattr };
409allow shell domain:{ file lnk_file } { open read getattr };
410
411# statvfs() of /proc and other labeled filesystems
412# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
413allow shell { proc labeledfs }:filesystem getattr;
414
415# stat() of /dev
416allow shell device:dir getattr;
417
418# allow shell to read /proc/pid/attr/current for ps -Z
419allow shell domain:process getattr;
420
421# Allow pulling the SELinux policy for CTS purposes
422allow shell selinuxfs:dir r_dir_perms;
423allow shell selinuxfs:file r_file_perms;
424
425# enable shell domain to read/write files/dirs for bootchart data
426# User will creates the start and stop file via adb shell
427# and read other files created by init process under /data/bootchart
428allow shell bootchart_data_file:dir rw_dir_perms;
429allow shell bootchart_data_file:file create_file_perms;
430
431# Make sure strace works for the non-privileged shell user
432allow shell self:process ptrace;
433
434# allow shell to get battery info
435allow shell sysfs:dir r_dir_perms;
436allow shell sysfs_batteryinfo:dir r_dir_perms;
437allow shell sysfs_batteryinfo:file r_file_perms;
438
T.J. Mercier12878e52024-04-26 19:27:06 +0000439# Allow reads (but not writes) of the MGLRU state
440allow shell sysfs_lru_gen_enabled:file r_file_perms;
441
Yi-Yo Chiang15bdfcb2024-05-10 18:01:47 +0800442# Allow communicating with the VM terminal.
443userdebug_or_eng(`
444 allow shell vmlauncher_app_devpts:chr_file rw_file_perms;
445 allowxperm shell vmlauncher_app_devpts:chr_file ioctl unpriv_tty_ioctls;
446')
447
Jaewan Kim168e04d2024-06-17 09:29:05 +0000448# Allow CTS to check whether AVF debug policy is installed
449allow shell { proc_dt_avf sysfs_dt_avf }:dir search;
450
Inseob Kim75806ef2024-03-27 17:18:41 +0900451# Allow access to ion memory allocation device.
452allow shell ion_device:chr_file rw_file_perms;
453
454#
455# filesystem test for insecure chr_file's is done
456# via a host side test
457#
458allow shell dev_type:dir r_dir_perms;
459allow shell dev_type:chr_file getattr;
460
461# /dev/fd is a symlink
462allow shell proc:lnk_file getattr;
463
464#
465# filesystem test for insucre blk_file's is done
466# via hostside test
467#
468allow shell dev_type:blk_file getattr;
469
470# read selinux policy files
471allow shell file_contexts_file:file r_file_perms;
472allow shell property_contexts_file:file r_file_perms;
473allow shell seapp_contexts_file:file r_file_perms;
474allow shell service_contexts_file:file r_file_perms;
475allow shell sepolicy_file:file r_file_perms;
476
477# Allow shell to start up vendor shell
478allow shell vendor_shell_exec:file rx_file_perms;
479
Jeongik Cha3335a042024-06-14 14:28:42 +0900480is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
Jeongik Cha4c36b702024-10-08 17:08:11 +0900481 allow shell linux_vm_setup_exec:file { entrypoint r_file_perms };
Jeongik Cha3335a042024-06-14 14:28:42 +0900482')
483
Nikita Ioffe48966b62024-10-22 14:01:17 +0000484allow shell tee_service_contexts_file:file r_file_perms;
Nikita Ioffe477e8f72024-10-24 12:46:00 +0000485allow shell test_pkvm_tee_service:tee_service use;
Nikita Ioffe48966b62024-10-22 14:01:17 +0000486
Inseob Kim75806ef2024-03-27 17:18:41 +0900487# Everything is labeled as rootfs in recovery mode. Allow shell to
488# execute them.
489recovery_only(`
490 allow shell rootfs:file rx_file_perms;
491')
492
493###
494### Neverallow rules
495###
496
497# Do not allow shell to talk directly to security HAL services other than
498# hal_remotelyprovisionedcomponent_service
499neverallow shell {
500 hal_keymint_service
501 hal_secureclock_service
502 hal_sharedsecret_service
Alice Wang4877bed2024-06-27 14:12:10 +0000503 virtualization_service
Inseob Kim75806ef2024-03-27 17:18:41 +0900504}:service_manager find;
505
506# Do not allow shell to hard link to any files.
507# In particular, if shell hard links to app data
508# files, installd will not be able to guarantee the deletion
509# of the linked to file. Hard links also contribute to security
510# bugs, so we want to ensure the shell user never has this
511# capability.
512neverallow shell file_type:file link;
513
514# Do not allow privileged socket ioctl commands
515neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
516
517# limit shell access to sensitive char drivers to
518# only getattr required for host side test.
519neverallow shell {
520 fuse_device
521 hw_random_device
522 port_device
523}:chr_file ~getattr;
524
525# Limit shell to only getattr on blk devices for host side tests.
526neverallow shell dev_type:blk_file ~getattr;
527
528# b/30861057: Shell access to existing input devices is an abuse
529# vector. The shell user can inject events that look like they
530# originate from the touchscreen etc.
531# Everyone should have already moved to UiAutomation#injectInputEvent
532# if they are running instrumentation tests (i.e. CTS), Monkey for
533# their stress tests, and the input command (adb shell input ...) for
534# injecting swipes and things.
535neverallow shell input_device:chr_file no_w_file_perms;
536
537neverallow shell self:perf_event ~{ open read write kernel };
538
539# Never allow others to set or get the perf.drop_caches property.
540neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
541neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;