| Dan Cashman | 91d398d | 2017-09-26 12:58:29 -0700 | [diff] [blame] | 1 | # Domain for shell processes spawned by ADB or console service. |
| 2 | type shell, domain, mlstrustedsubject; |
| 3 | type shell_exec, exec_type, file_type; |
| 4 | |
| 5 | # Create and use network sockets. |
| 6 | net_domain(shell) |
| 7 | |
| 8 | # logcat |
| 9 | read_logd(shell) |
| 10 | control_logd(shell) |
| 11 | # logcat -L (directly, or via dumpstate) |
| 12 | allow shell pstorefs:dir search; |
| 13 | allow shell pstorefs:file r_file_perms; |
| 14 | |
| 15 | # Root fs. |
| 16 | allow shell rootfs:dir r_dir_perms; |
| 17 | |
| 18 | # read files in /data/anr |
| 19 | allow shell anr_data_file:dir r_dir_perms; |
| 20 | allow shell anr_data_file:file r_file_perms; |
| 21 | |
| 22 | # Access /data/local/tmp. |
| 23 | allow shell shell_data_file:dir create_dir_perms; |
| 24 | allow shell shell_data_file:file create_file_perms; |
| 25 | allow shell shell_data_file:file rx_file_perms; |
| 26 | allow shell shell_data_file:lnk_file create_file_perms; |
| 27 | |
| 28 | # Access /data/misc/profman. |
| 29 | allow shell profman_dump_data_file:dir { search getattr write remove_name }; |
| 30 | allow shell profman_dump_data_file:file { getattr unlink }; |
| 31 | |
| 32 | # Read/execute files in /data/nativetest |
| 33 | userdebug_or_eng(` |
| 34 | allow shell nativetest_data_file:dir r_dir_perms; |
| 35 | allow shell nativetest_data_file:file rx_file_perms; |
| 36 | ') |
| 37 | |
| 38 | # adb bugreport |
| 39 | unix_socket_connect(shell, dumpstate, dumpstate) |
| 40 | |
| 41 | allow shell devpts:chr_file rw_file_perms; |
| 42 | allow shell tty_device:chr_file rw_file_perms; |
| 43 | allow shell console_device:chr_file rw_file_perms; |
| 44 | allow shell input_device:dir r_dir_perms; |
| 45 | allow shell input_device:chr_file rw_file_perms; |
| 46 | r_dir_file(shell, system_file) |
| 47 | allow shell system_file:file x_file_perms; |
| 48 | allow shell toolbox_exec:file rx_file_perms; |
| 49 | allow shell shell_exec:file rx_file_perms; |
| 50 | allow shell zygote_exec:file rx_file_perms; |
| 51 | |
| 52 | r_dir_file(shell, apk_data_file) |
| 53 | |
| 54 | # Set properties. |
| 55 | set_prop(shell, shell_prop) |
| 56 | set_prop(shell, ctl_bugreport_prop) |
| 57 | set_prop(shell, ctl_dumpstate_prop) |
| 58 | set_prop(shell, dumpstate_prop) |
| 59 | set_prop(shell, debug_prop) |
| 60 | set_prop(shell, powerctl_prop) |
| 61 | set_prop(shell, log_tag_prop) |
| 62 | set_prop(shell, wifi_log_prop) |
| 63 | # adjust is_loggable properties |
| 64 | userdebug_or_eng(`set_prop(shell, log_prop)') |
| 65 | # logpersist script |
| 66 | userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') |
| 67 | |
| 68 | userdebug_or_eng(` |
| 69 | # "systrace --boot" support - allow boottrace service to run |
| 70 | allow shell boottrace_data_file:dir rw_dir_perms; |
| 71 | allow shell boottrace_data_file:file create_file_perms; |
| 72 | set_prop(shell, persist_debug_prop) |
| 73 | ') |
| 74 | |
| 75 | # Read device's serial number from system properties |
| 76 | get_prop(shell, serialno_prop) |
| 77 | |
| 78 | # Read state of logging-related properties |
| 79 | get_prop(shell, device_logging_prop) |
| 80 | |
| 81 | # allow shell access to services |
| 82 | allow shell servicemanager:service_manager list; |
| 83 | # don't allow shell to access GateKeeper service |
| 84 | # TODO: why is this so broad? Tightening candidate? It needs at list: |
| 85 | # - dumpstate_service (so it can receive dumpstate progress updates) |
| 86 | allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service -vr_hwc_service }:service_manager find; |
| 87 | allow shell dumpstate:binder call; |
| 88 | |
| 89 | # allow shell to get information from hwservicemanager |
| 90 | # for instance, listing hardware services with lshal |
| 91 | hwbinder_use(shell) |
| 92 | allow shell hwservicemanager:hwservice_manager list; |
| 93 | |
| 94 | # allow shell to look through /proc/ for ps, top, netstat |
| 95 | r_dir_file(shell, proc) |
| 96 | r_dir_file(shell, proc_net) |
| 97 | allow shell proc_interrupts:file r_file_perms; |
| 98 | allow shell proc_meminfo:file r_file_perms; |
| 99 | allow shell proc_stat:file r_file_perms; |
| 100 | allow shell proc_timer:file r_file_perms; |
| 101 | allow shell proc_zoneinfo:file r_file_perms; |
| 102 | r_dir_file(shell, cgroup) |
| 103 | allow shell domain:dir { search open read getattr }; |
| 104 | allow shell domain:{ file lnk_file } { open read getattr }; |
| 105 | |
| 106 | # statvfs() of /proc and other labeled filesystems |
| 107 | # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs) |
| 108 | allow shell { proc labeledfs }:filesystem getattr; |
| 109 | |
| 110 | # stat() of /dev |
| 111 | allow shell device:dir getattr; |
| 112 | |
| 113 | # allow shell to read /proc/pid/attr/current for ps -Z |
| 114 | allow shell domain:process getattr; |
| 115 | |
| 116 | # Allow pulling the SELinux policy for CTS purposes |
| 117 | allow shell selinuxfs:dir r_dir_perms; |
| 118 | allow shell selinuxfs:file r_file_perms; |
| 119 | |
| 120 | # enable shell domain to read/write files/dirs for bootchart data |
| 121 | # User will creates the start and stop file via adb shell |
| 122 | # and read other files created by init process under /data/bootchart |
| 123 | allow shell bootchart_data_file:dir rw_dir_perms; |
| 124 | allow shell bootchart_data_file:file create_file_perms; |
| 125 | |
| 126 | # Make sure strace works for the non-privileged shell user |
| 127 | allow shell self:process ptrace; |
| 128 | |
| 129 | # allow shell to get battery info |
| 130 | allow shell sysfs_batteryinfo:file r_file_perms; |
| 131 | allow shell sysfs:dir r_dir_perms; |
| 132 | |
| 133 | # Allow access to ion memory allocation device. |
| 134 | allow shell ion_device:chr_file rw_file_perms; |
| 135 | |
| 136 | # |
| 137 | # filesystem test for insecure chr_file's is done |
| 138 | # via a host side test |
| 139 | # |
| 140 | allow shell dev_type:dir r_dir_perms; |
| 141 | allow shell dev_type:chr_file getattr; |
| 142 | |
| 143 | # /dev/fd is a symlink |
| 144 | allow shell proc:lnk_file getattr; |
| 145 | |
| 146 | # |
| 147 | # filesystem test for insucre blk_file's is done |
| 148 | # via hostside test |
| 149 | # |
| 150 | allow shell dev_type:blk_file getattr; |
| 151 | |
| 152 | # read selinux policy files |
| 153 | allow shell file_contexts_file:file r_file_perms; |
| 154 | allow shell property_contexts_file:file r_file_perms; |
| 155 | allow shell seapp_contexts_file:file r_file_perms; |
| 156 | allow shell service_contexts_file:file r_file_perms; |
| 157 | allow shell sepolicy_file:file r_file_perms; |
| 158 | |
| 159 | ### |
| 160 | ### Neverallow rules |
| 161 | ### |
| 162 | |
| 163 | # Do not allow shell to hard link to any files. |
| 164 | # In particular, if shell hard links to app data |
| 165 | # files, installd will not be able to guarantee the deletion |
| 166 | # of the linked to file. Hard links also contribute to security |
| 167 | # bugs, so we want to ensure the shell user never has this |
| 168 | # capability. |
| 169 | neverallow shell file_type:file link; |
| 170 | |
| 171 | # Do not allow privileged socket ioctl commands |
| 172 | neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; |
| 173 | |
| 174 | # limit shell access to sensitive char drivers to |
| 175 | # only getattr required for host side test. |
| 176 | neverallow shell { |
| 177 | fuse_device |
| 178 | hw_random_device |
| 179 | kmem_device |
| 180 | port_device |
| 181 | }:chr_file ~getattr; |
| 182 | |
| 183 | # Limit shell to only getattr on blk devices for host side tests. |
| 184 | neverallow shell dev_type:blk_file ~getattr; |