private/shell.te

typeattribute shell coredomain, mlstrustedsubject;

# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;

# systrace support - allow atrace to run
allow shell debugfs_tracing_debug:dir r_dir_perms;
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;

userdebug_or_eng(`
  allow shell debugfs_tracing_debug:file rw_file_perms;
')

# read config.gz for CTS purposes
allow shell config_gz:file r_file_perms;

# allow reading tombstones. users can already use bugreports to get those.
allow shell tombstone_data_file:dir r_dir_perms;
allow shell tombstone_data_file:file r_file_perms;

# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)

# allow shell to call dumpsys storaged
binder_call(shell, storaged)

# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)

# Control Perfetto traced and obtain traces from it.
# Needed for Studio and debugging.
unix_socket_connect(shell, traced_consumer, traced)

# Allow shell binaries to write trace data to Perfetto. Used for testing and
# cmdline utils.
perfetto_producer(shell)

domain_auto_trans(shell, vendor_shell_exec, vendor_shell)

# Allow shell to execute tradeinmode on userdebug builds, for testing.
userdebug_or_eng(`
  domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
')

# Allow shell binaries to exec the perfetto cmdline util and have that
# transition into its own domain, so that it behaves consistently to
# when exec()-d by statsd.
domain_auto_trans(shell, perfetto_exec, perfetto)
# Allow to send SIGINT to perfetto when daemonized.
allow shell perfetto:process signal;

# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);

# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
userdebug_or_eng(`
  allow shell accessibility_trace_data_file:dir rw_dir_perms;
  allow shell accessibility_trace_data_file:file { r_file_perms unlink };
')

# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
allow shell perfetto_traces_data_file:dir rw_dir_perms;
allow shell perfetto_traces_data_file:file { r_file_perms unlink };
# ... and /data/misc/perfetto-traces/bugreport/ .
allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };

# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
allow shell perfetto_configs_data_file:dir rw_dir_perms;
allow shell perfetto_configs_data_file:file create_file_perms;

# Allow shell to run adb shell cmd gpu commands.
binder_call(shell, gpuservice);

# Allow shell to use atrace HAL
hal_client_domain(shell, hal_atrace)

# For hostside tests such as CTS listening ports test.
allow shell proc_net_tcp_udp:file r_file_perms;

# The dl.exec_linker* tests need to execute /system/bin/linker
# b/124789393
allow shell system_linker_exec:file rx_file_perms;

# Renderscript host side tests depend on being able to execute
# /system/bin/bcc (b/126388046)
allow shell rs_exec:file rx_file_perms;

# Allow (host-driven) ART run-tests to execute dex2oat, in order to
# check ART's compiler.
allow shell dex2oat_exec:file rx_file_perms;
allow shell dex2oat_exec:lnk_file read;

# Allow shell to start and comminicate with lpdumpd.
set_prop(shell, lpdumpd_prop);
binder_call(shell, lpdumpd)

# Allow shell to set and read value of properties used for CTS tests of
# userspace reboot
set_prop(shell, userspace_reboot_test_prop)

# Allow shell to set this property to disable charging.
set_prop(shell, power_debug_prop)

# Allow shell to set this property used for rollback tests
set_prop(shell, rollback_test_prop)

# Allow shell to set RKP properties for testing purposes
set_prop(shell, remote_prov_prop)

# Allow shell to enable 16 KB backcompat globally.
set_prop(shell, bionic_linker_16kb_app_compat_prop)

# Allow shell to get encryption policy of /data/local/tmp/, for CTS
allowxperm shell shell_data_file:dir ioctl {
  FS_IOC_GET_ENCRYPTION_POLICY
  FS_IOC_GET_ENCRYPTION_POLICY_EX
};

# Allow shell to execute simpleperf without a domain transition.
allow shell simpleperf_exec:file rx_file_perms;

userdebug_or_eng(`
  # Allow shell to execute profcollectctl without a domain transition.
  allow shell profcollectd_exec:file rx_file_perms;

  # Allow shell to read profcollectd data files.
  r_dir_file(shell, profcollectd_data_file)

  # Allow to issue control commands to profcollectd binder service.
  allow shell profcollectd:binder call;
')

# Allow shell to run remount command.
allow shell remount_exec:file rx_file_perms;

# Allow shell to call perf_event_open for profiling other shell processes, but
# not the whole system.
allow shell self:perf_event { open read write kernel };

# Allow shell to read microdroid vendor image
r_dir_file(shell, vendor_microdroid_file)

# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
allow shell apex_info_file:file r_file_perms;
allow shell vendor_apex_file:file r_file_perms;
allow shell vendor_apex_file:dir r_dir_perms;
allow shell vendor_apex_metadata_file:dir r_dir_perms;

# Allow shell to read updated APEXes under /data/apex
allow shell apex_data_file:dir search;
allow shell staging_data_file:file r_file_perms;

# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
set_prop(shell, ctl_dumpstate_prop)
set_prop(shell, dumpstate_prop)
set_prop(shell, exported_dumpstate_prop)
set_prop(shell, debug_prop)
set_prop(shell, perf_drop_caches_prop)
set_prop(shell, powerctl_prop)
set_prop(shell, log_tag_prop)
set_prop(shell, wifi_log_prop)
# Allow shell to start/stop traced via the persist.traced.enable
# property (which also takes care of /data/misc initialization).
set_prop(shell, traced_enabled_prop)
# adjust SELinux audit rates
set_prop(shell, logd_auditrate_prop)
# adjust is_loggable properties
userdebug_or_eng(`set_prop(shell, log_prop)')
# logpersist script
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
# property.
set_prop(shell, heapprofd_enabled_prop)
# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
# property.
set_prop(shell, traced_perf_enabled_prop)
# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
set_prop(shell, ctl_gsid_prop)
set_prop(shell, ctl_snapuserd_prop)
# Allow shell to enable Dynamic System Update
set_prop(shell, dynamic_system_prop)
# Allow shell to mock an OTA using persist.pm.mock-upgrade
set_prop(shell, mock_ota_prop)

# Read device's serial number from system properties
get_prop(shell, serialno_prop)

# Allow shell to read the vendor security patch level for CTS
get_prop(shell, vendor_security_patch_level_prop)

# Read state of logging-related properties
get_prop(shell, device_logging_prop)

# Read state of boot reason properties
get_prop(shell, bootloader_boot_reason_prop)
get_prop(shell, last_boot_reason_prop)
get_prop(shell, system_boot_reason_prop)

# Allow shell to execute the remote key provisioning factory tool
binder_call(shell, hal_keymint)
# Allow shell to run the AVF RKP HAL during the execution of the remote key
# provisioning factory tool.
# TODO(b/351113293): Remove this once the AVF RKP HAL registration is moved to
# a separate process.
binder_call(shell, virtualizationservice)
# Allow the shell to inspect whether AVF remote attestation is supported
# through the system property.
get_prop(shell, avf_virtualizationservice_prop)

# Allow reading the outcome of perf_event_open LSM support test for CTS.
get_prop(shell, init_perf_lsm_hooks_prop)

# Allow shell to read boot image timestamps and fingerprints.
get_prop(shell, build_bootimage_prop)

# Allow shell to read odsign verification properties
get_prop(shell, odsign_prop)

userdebug_or_eng(`set_prop(shell, persist_debug_prop)')

# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
allow shell keystore2_key_contexts_file:file r_file_perms;

# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
allow shell shell_key:keystore2_key { delete rebind use get_info update };

# Allow shell to open and execute memfd files for minijail unit tests.
userdebug_or_eng(`
  allow shell appdomain_tmpfs:file { open execute_no_trans };
')

# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
set_prop(shell, sqlite_log_prop)

# Allow shell to write MTE properties even on user builds.
set_prop(shell, arm64_memtag_prop)
set_prop(shell, permissive_mte_prop)

# Allow shell to write kcmdline properties even on user builds.
set_prop(shell, kcmdline_prop)

# Allow shell to read the dm-verity props on user builds.
get_prop(shell, verity_status_prop)

# Allow shell to read Virtual A/B related properties
get_prop(shell, virtual_ab_prop)

# Allow ReadDefaultFstab() for CTS.
read_fstab(shell)

# Allow shell read access to /apex/apex-info-list.xml for CTS.
allow shell apex_info_file:file r_file_perms;

# Let the shell user call virtualizationservice (and
# virtualizationservice call back to shell) for debugging.
virtualizationservice_use(shell)

# Allow shell to set persist.wm.debug properties
userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')

# Allow shell to write GWP-ASan properties even on user builds.
set_prop(shell, gwp_asan_prop)

# Allow shell to set persist.sysui.notification.builder_extras_override property
userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')

# Allow shell to read the build properties for attestation feature
get_prop(shell, build_attestation_prop)

# Allow shell to execute oatdump.
# TODO (b/350628688): Remove this once it's safe to do so.
allow shell oatdump_exec:file rx_file_perms;

# Create and use network sockets.
net_domain(shell)

# logcat
read_logd(shell)
control_logd(shell)
get_prop(shell, logd_prop)
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;

# Root fs.
allow shell rootfs:dir r_dir_perms;

# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
allow shell anr_data_file:file r_file_perms;

# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;

# Access /data/local/tests.
allow shell shell_test_data_file:dir create_dir_perms;
allow shell shell_test_data_file:file create_file_perms;
allow shell shell_test_data_file:file rx_file_perms;
allow shell shell_test_data_file:lnk_file create_file_perms;
allow shell shell_test_data_file:sock_file create_file_perms;

# Read and delete from /data/local/traces.
allow shell trace_data_file:file { r_file_perms unlink };
allow shell trace_data_file:dir { r_dir_perms remove_name write };

# Access /data/misc/profman.
allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
allow shell profman_dump_data_file:file { unlink r_file_perms };

# Read/execute files in /data/nativetest
userdebug_or_eng(`
  allow shell nativetest_data_file:dir r_dir_perms;
  allow shell nativetest_data_file:file rx_file_perms;
')

# adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate)

allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;

allow shell input_device:dir r_dir_perms;
allow shell input_device:chr_file r_file_perms;

r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;

userdebug_or_eng(`
  # "systrace --boot" support - allow boottrace service to run
  allow shell boottrace_data_file:dir rw_dir_perms;
  allow shell boottrace_data_file:file create_file_perms;
')

# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
allow shell {
  service_manager_type
  -apex_service
  -dnsresolver_service
  -gatekeeper_service
  -hal_keymint_service
  -hal_secureclock_service
  -hal_sharedsecret_service
  -incident_service
  -installd_service
  -mdns_service
  -netd_service
  -system_suspend_control_internal_service
  -system_suspend_control_service
  -virtual_touchpad_service
  -vold_service
  -default_android_service
  -virtualization_service
}:service_manager find;
allow shell dumpstate:binder call;

# allow shell to get information from hwservicemanager
# for instance, listing hardware services with lshal
hwbinder_use(shell)
allow shell hwservicemanager:hwservice_manager list;

# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
r_dir_file(shell, proc_net_type)

allow shell {
  proc_asound
  proc_cgroups
  proc_filesystems
  proc_interrupts
  proc_loadavg # b/124024827
  proc_meminfo
  proc_modules
  proc_pid_max
  proc_slabinfo
  proc_stat
  proc_timer
  proc_uptime
  proc_version
  proc_vmstat
  proc_zoneinfo
}:file r_file_perms;

# allow listing network interfaces under /sys/class/net.
allow shell sysfs_net:dir r_dir_perms;

r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
allow shell vendor_cgroup_desc_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };

# statvfs() of /proc and other labeled filesystems
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
allow shell { proc labeledfs }:filesystem getattr;

# stat() of /dev
allow shell device:dir getattr;

# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;

# Allow pulling the SELinux policy for CTS purposes
allow shell selinuxfs:dir r_dir_perms;
allow shell selinuxfs:file r_file_perms;

# enable shell domain to read/write files/dirs for bootchart data
# User will creates the start and stop file via adb shell
# and read other files created by init process under /data/bootchart
allow shell bootchart_data_file:dir rw_dir_perms;
allow shell bootchart_data_file:file create_file_perms;

# Make sure strace works for the non-privileged shell user
allow shell self:process ptrace;

# allow shell to get battery info
allow shell sysfs:dir r_dir_perms;
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;

# Allow reads (but not writes) of the MGLRU state
allow shell sysfs_lru_gen_enabled:file r_file_perms;

# Allow communicating with the VM terminal.
userdebug_or_eng(`
  allow shell vmlauncher_app_devpts:chr_file rw_file_perms;
  allowxperm shell vmlauncher_app_devpts:chr_file ioctl unpriv_tty_ioctls;
')

# Allow CTS to check whether AVF debug policy is installed
allow shell { proc_dt_avf sysfs_dt_avf }:dir search;

# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;

#
# filesystem test for insecure chr_file's is done
# via a host side test
#
allow shell dev_type:dir r_dir_perms;
allow shell dev_type:chr_file getattr;

# /dev/fd is a symlink
allow shell proc:lnk_file getattr;

#
# filesystem test for insucre blk_file's is done
# via hostside test
#
allow shell dev_type:blk_file getattr;

# read selinux policy files
allow shell file_contexts_file:file r_file_perms;
allow shell property_contexts_file:file r_file_perms;
allow shell seapp_contexts_file:file r_file_perms;
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;

# Allow shell to start up vendor shell
allow shell vendor_shell_exec:file rx_file_perms;

is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
  allow shell linux_vm_setup_exec:file { entrypoint r_file_perms };
')

allow shell tee_service_contexts_file:file r_file_perms;
allow shell test_pkvm_tee_service:tee_service use;

# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
recovery_only(`
  allow shell rootfs:file rx_file_perms;
')

###
### Neverallow rules
###

# Do not allow shell to talk directly to security HAL services other than
# hal_remotelyprovisionedcomponent_service
neverallow shell {
  hal_keymint_service
  hal_secureclock_service
  hal_sharedsecret_service
  virtualization_service
}:service_manager find;

# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure the shell user never has this
# capability.
neverallow shell file_type:file link;

# Do not allow privileged socket ioctl commands
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

# limit shell access to sensitive char drivers to
# only getattr required for host side test.
neverallow shell {
  fuse_device
  hw_random_device
  port_device
}:chr_file ~getattr;

# Limit shell to only getattr on blk devices for host side tests.
neverallow shell dev_type:blk_file ~getattr;

# b/30861057: Shell access to existing input devices is an abuse
# vector. The shell user can inject events that look like they
# originate from the touchscreen etc.
# Everyone should have already moved to UiAutomation#injectInputEvent
# if they are running instrumentation tests (i.e. CTS), Monkey for
# their stress tests, and the input command (adb shell input ...) for
# injecting swipes and things.
neverallow shell input_device:chr_file no_w_file_perms;

neverallow shell self:perf_event ~{ open read write kernel };

# Never allow others to set or get the perf.drop_caches property.
neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;