blob: 3b7a1f525d5b407ce1dbc5f778c4f3dce9ca9cb4 [file] [log] [blame]
Alan Stokes81e4e872020-02-11 14:43:05 +00001typeattribute shell coredomain, mlstrustedsubject;
Alex Klyubinf5446eb2017-03-23 14:27:32 -07002
Siarhei Vishniakou2a7f5712017-05-10 19:37:06 -07003# allow shell input injection
4allow shell uhid_device:chr_file rw_file_perms;
5
dcashman2e00e632016-10-12 14:58:09 -07006# systrace support - allow atrace to run
Carmen Jackson2c8ca452018-01-30 18:14:45 -08007allow shell debugfs_tracing_debug:dir r_dir_perms;
dcashman2e00e632016-10-12 14:58:09 -07008allow shell debugfs_tracing:dir r_dir_perms;
Joel Galenson27c0aa72017-07-26 16:22:50 -07009allow shell debugfs_tracing:file rw_file_perms;
dcashman2e00e632016-10-12 14:58:09 -070010allow shell debugfs_trace_marker:file getattr;
11allow shell atrace_exec:file rx_file_perms;
12
Carmen Jackson25788df2017-04-14 12:12:50 -070013userdebug_or_eng(`
Joel Galenson47966ce2017-07-27 09:50:25 -070014 allow shell debugfs_tracing_debug:file rw_file_perms;
Carmen Jackson25788df2017-04-14 12:12:50 -070015')
16
Carmen Jackson2c8ca452018-01-30 18:14:45 -080017# read config.gz for CTS purposes
18allow shell config_gz:file r_file_perms;
19
Florian Mayer6c689e82024-02-14 10:54:58 -080020# allow reading tombstones. users can already use bugreports to get those.
21allow shell tombstone_data_file:dir r_dir_perms;
22allow shell tombstone_data_file:file r_file_perms;
23
dcashman3e8dbf02016-12-08 11:23:34 -080024# Run app_process.
25# XXX Transition into its own domain?
26app_domain(shell)
Jin Qiana239f302017-03-23 12:28:20 -070027
28# allow shell to call dumpsys storaged
29binder_call(shell, storaged)
Nick Kralevich14e2e922017-05-08 09:51:59 -070030
31# Perform SELinux access checks, needed for CTS
32selinux_check_access(shell)
33selinux_check_context(shell)
Primiano Tuccic80f9e02017-12-21 03:51:15 +010034
35# Control Perfetto traced and obtain traces from it.
36# Needed for Studio and debugging.
37unix_socket_connect(shell, traced_consumer, traced)
38
39# Allow shell binaries to write trace data to Perfetto. Used for testing and
40# cmdline utils.
Florian Mayer5e522812019-10-08 16:15:14 +010041perfetto_producer(shell)
Yifan Hong00ab5d82018-01-11 11:01:30 -080042
43domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
Primiano Tucci1a9f4f72018-01-24 16:07:09 +000044
David Andersonbad9ca12024-10-28 15:23:35 -070045# Allow shell to execute tradeinmode on userdebug builds, for testing.
46userdebug_or_eng(`
47 domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
48')
49
Primiano Tucci1a9f4f72018-01-24 16:07:09 +000050# Allow shell binaries to exec the perfetto cmdline util and have that
51# transition into its own domain, so that it behaves consistently to
52# when exec()-d by statsd.
53domain_auto_trans(shell, perfetto_exec, perfetto)
Florian Mayeraeca04b2018-12-06 13:28:01 +000054# Allow to send SIGINT to perfetto when daemonized.
55allow shell perfetto:process signal;
Primiano Tucci1a9f4f72018-01-24 16:07:09 +000056
Bookatz022ab0e2018-02-13 09:33:36 -080057# Allow shell to run adb shell cmd stats commands. Needed for CTS.
58binder_call(shell, statsd);
59
Hongming Jin58f83412021-02-09 12:03:40 -080060# Allow shell to read and unlink traces stored in /data/misc/a11ytraces.
61userdebug_or_eng(`
62 allow shell accessibility_trace_data_file:dir rw_dir_perms;
63 allow shell accessibility_trace_data_file:file { r_file_perms unlink };
64')
65
Primiano Tucci1a9f4f72018-01-24 16:07:09 +000066# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
67allow shell perfetto_traces_data_file:dir rw_dir_perms;
Florian Mayerc069bc12019-09-30 11:09:45 +010068allow shell perfetto_traces_data_file:file { r_file_perms unlink };
Primiano Tucci2bb85872021-01-18 09:26:57 +000069# ... and /data/misc/perfetto-traces/bugreport/ .
70allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms;
71allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink };
Fan Xu26fa9142018-09-17 17:06:19 -070072
Primiano Tucci512bdb92020-10-13 21:13:09 +010073# Allow shell to create/remove configs stored in /data/misc/perfetto-configs.
74allow shell perfetto_configs_data_file:dir rw_dir_perms;
75allow shell perfetto_configs_data_file:file create_file_perms;
76
Yiwei Zhangff0f79c2018-11-27 15:21:43 -080077# Allow shell to run adb shell cmd gpu commands.
78binder_call(shell, gpuservice);
79
Wei Wangbc71a612018-09-19 16:06:28 -070080# Allow shell to use atrace HAL
81hal_client_domain(shell, hal_atrace)
Jeff Vander Stoep42451772018-09-28 10:55:14 -070082
83# For hostside tests such as CTS listening ports test.
84allow shell proc_net_tcp_udp:file r_file_perms;
Nick Kralevich905b4002019-02-25 15:11:40 -080085
86# The dl.exec_linker* tests need to execute /system/bin/linker
87# b/124789393
88allow shell system_linker_exec:file rx_file_perms;
Nick Kralevich68e27ca2019-02-26 12:30:42 -080089
90# Renderscript host side tests depend on being able to execute
91# /system/bin/bcc (b/126388046)
92allow shell rs_exec:file rx_file_perms;
Yifan Hong18ade862019-03-14 15:45:03 -070093
Roland Levillain06bee182020-11-02 13:52:54 +000094# Allow (host-driven) ART run-tests to execute dex2oat, in order to
95# check ART's compiler.
96allow shell dex2oat_exec:file rx_file_perms;
Martin Stjernholm1e0b4a52022-04-14 17:42:11 +010097allow shell dex2oat_exec:lnk_file read;
Roland Levillain06bee182020-11-02 13:52:54 +000098
Yifan Hong18ade862019-03-14 15:45:03 -070099# Allow shell to start and comminicate with lpdumpd.
100set_prop(shell, lpdumpd_prop);
101binder_call(shell, lpdumpd)
Kiyoung Kim82c87ed2019-08-09 14:20:34 +0900102
Nikita Ioffe91c37952020-03-12 14:45:00 +0000103# Allow shell to set and read value of properties used for CTS tests of
104# userspace reboot
105set_prop(shell, userspace_reboot_test_prop)
106
Michael Rosenfeld5425c872021-11-17 15:48:47 -0800107# Allow shell to set this property to disable charging.
108set_prop(shell, power_debug_prop)
109
JW Wang0f8cf042021-02-24 14:29:06 +0800110# Allow shell to set this property used for rollback tests
111set_prop(shell, rollback_test_prop)
112
Seth Moored3bd6862023-02-24 11:50:51 -0800113# Allow shell to set RKP properties for testing purposes
114set_prop(shell, remote_prov_prop)
115
Steven Morelande7400802024-10-19 00:06:33 +0000116# Allow shell to enable 16 KB backcompat globally.
117set_prop(shell, bionic_linker_16kb_app_compat_prop)
118
Eric Biggersb57af5d2019-09-27 13:33:27 -0700119# Allow shell to get encryption policy of /data/local/tmp/, for CTS
120allowxperm shell shell_data_file:dir ioctl {
121 FS_IOC_GET_ENCRYPTION_POLICY
122 FS_IOC_GET_ENCRYPTION_POLICY_EX
123};
Ryan Savitskiffa0dd92020-01-10 19:02:43 +0000124
125# Allow shell to execute simpleperf without a domain transition.
126allow shell simpleperf_exec:file rx_file_perms;
127
Yi Kongb7bb6492021-07-27 17:06:50 +0800128userdebug_or_eng(`
129 # Allow shell to execute profcollectctl without a domain transition.
130 allow shell profcollectd_exec:file rx_file_perms;
131
132 # Allow shell to read profcollectd data files.
133 r_dir_file(shell, profcollectd_data_file)
134
135 # Allow to issue control commands to profcollectd binder service.
136 allow shell profcollectd:binder call;
137')
Yi Kong45551232020-09-01 01:54:01 +0800138
Yi-Yo Chiang686d7792022-11-01 15:08:09 +0800139# Allow shell to run remount command.
140allow shell remount_exec:file rx_file_perms;
141
Ryan Savitskiffa0dd92020-01-10 19:02:43 +0000142# Allow shell to call perf_event_open for profiling other shell processes, but
143# not the whole system.
144allow shell self:perf_event { open read write kernel };
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900145
Seungjae Yood2a08922023-11-15 17:59:30 +0900146# Allow shell to read microdroid vendor image
147r_dir_file(shell, vendor_microdroid_file)
148
Jiyong Parkabdc9732021-06-14 08:30:43 +0900149# Allow shell to read /apex/apex-info-list.xml and the vendor apexes
Tej Singh75385ef2021-06-07 13:27:52 -0700150allow shell apex_info_file:file r_file_perms;
Jiyong Parkabdc9732021-06-14 08:30:43 +0900151allow shell vendor_apex_file:file r_file_perms;
152allow shell vendor_apex_file:dir r_dir_perms;
Jooyung Hanb6211b82023-05-31 17:51:14 +0900153allow shell vendor_apex_metadata_file:dir r_dir_perms;
Tej Singh75385ef2021-06-07 13:27:52 -0700154
Alan Stokes54907522022-02-25 11:59:25 +0000155# Allow shell to read updated APEXes under /data/apex
156allow shell apex_data_file:dir search;
157allow shell staging_data_file:file r_file_perms;
158
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900159# Set properties.
160set_prop(shell, shell_prop)
161set_prop(shell, ctl_bugreport_prop)
162set_prop(shell, ctl_dumpstate_prop)
163set_prop(shell, dumpstate_prop)
164set_prop(shell, exported_dumpstate_prop)
165set_prop(shell, debug_prop)
Michael Rosenfeld3ccbebb2021-02-10 18:45:35 -0800166set_prop(shell, perf_drop_caches_prop)
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900167set_prop(shell, powerctl_prop)
168set_prop(shell, log_tag_prop)
169set_prop(shell, wifi_log_prop)
170# Allow shell to start/stop traced via the persist.traced.enable
171# property (which also takes care of /data/misc initialization).
172set_prop(shell, traced_enabled_prop)
Snild Dolkowef0f3692023-11-10 10:58:01 +0100173# adjust SELinux audit rates
174set_prop(shell, logd_auditrate_prop)
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900175# adjust is_loggable properties
176userdebug_or_eng(`set_prop(shell, log_prop)')
177# logpersist script
178userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
179# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
180# property.
181set_prop(shell, heapprofd_enabled_prop)
182# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
183# property.
184set_prop(shell, traced_perf_enabled_prop)
185# Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
186set_prop(shell, ctl_gsid_prop)
David Anderson09bb9442020-11-13 00:45:59 -0800187set_prop(shell, ctl_snapuserd_prop)
Akilesh Kailashdd8c0902024-11-11 15:49:46 -0800188# Allow shell to start/stop prefetch
189set_prop(shell, ctl_prefetch_prop)
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900190# Allow shell to enable Dynamic System Update
191set_prop(shell, dynamic_system_prop)
192# Allow shell to mock an OTA using persist.pm.mock-upgrade
193set_prop(shell, mock_ota_prop)
194
195# Read device's serial number from system properties
196get_prop(shell, serialno_prop)
197
198# Allow shell to read the vendor security patch level for CTS
199get_prop(shell, vendor_security_patch_level_prop)
200
201# Read state of logging-related properties
202get_prop(shell, device_logging_prop)
203
204# Read state of boot reason properties
205get_prop(shell, bootloader_boot_reason_prop)
206get_prop(shell, last_boot_reason_prop)
207get_prop(shell, system_boot_reason_prop)
208
Max Bires4d3dcd62022-10-07 12:51:15 -0700209# Allow shell to execute the remote key provisioning factory tool
210binder_call(shell, hal_keymint)
Alice Wang4877bed2024-06-27 14:12:10 +0000211# Allow shell to run the AVF RKP HAL during the execution of the remote key
212# provisioning factory tool.
213# TODO(b/351113293): Remove this once the AVF RKP HAL registration is moved to
214# a separate process.
215binder_call(shell, virtualizationservice)
Alice Wang6d3e6132024-08-05 09:55:16 +0000216# Allow the shell to inspect whether AVF remote attestation is supported
217# through the system property.
218get_prop(shell, avf_virtualizationservice_prop)
Max Bires4d3dcd62022-10-07 12:51:15 -0700219
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900220# Allow reading the outcome of perf_event_open LSM support test for CTS.
221get_prop(shell, init_perf_lsm_hooks_prop)
222
Yifan Hong6bb5a762020-10-06 17:52:17 -0700223# Allow shell to read boot image timestamps and fingerprints.
224get_prop(shell, build_bootimage_prop)
225
Martijn Coenenfd6d7082021-08-05 15:11:04 +0200226# Allow shell to read odsign verification properties
227get_prop(shell, odsign_prop)
228
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900229userdebug_or_eng(`set_prop(shell, persist_debug_prop)')
Peiyong Lin37dea072020-06-03 12:20:41 -0700230
Janis Danisevskis47f37612020-07-27 13:07:39 -0700231# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup.
232allow shell keystore2_key_contexts_file:file r_file_perms;
233
234# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests.
Janis Danisevskised96f5c2020-09-24 08:55:28 -0700235allow shell shell_key:keystore2_key { delete rebind use get_info update };
Inseob Kim0cef0fe2020-11-17 13:54:52 +0900236
Allen Webbcda514a2021-07-19 14:32:41 -0700237# Allow shell to open and execute memfd files for minijail unit tests.
238userdebug_or_eng(`
239 allow shell appdomain_tmpfs:file { open execute_no_trans };
240')
241
Inseob Kim0cef0fe2020-11-17 13:54:52 +0900242# Allow shell to write db.log.detailed, db.log.slow_query_threshold*
243set_prop(shell, sqlite_log_prop)
Mitch Phillipseaf14042020-12-03 17:23:06 -0800244
245# Allow shell to write MTE properties even on user builds.
246set_prop(shell, arm64_memtag_prop)
Mitch Phillips98b3e4b2024-03-15 16:26:31 +0100247set_prop(shell, permissive_mte_prop)
Tianjiec3752cf2021-01-19 23:02:51 -0800248
Alice Ryhl6b9aa6d2024-02-21 15:18:14 +0000249# Allow shell to write kcmdline properties even on user builds.
250set_prop(shell, kcmdline_prop)
251
Tianjiec3752cf2021-01-19 23:02:51 -0800252# Allow shell to read the dm-verity props on user builds.
253get_prop(shell, verity_status_prop)
Yifan Honga18cf7e2021-02-17 12:06:12 -0800254
255# Allow shell to read Virtual A/B related properties
256get_prop(shell, virtual_ab_prop)
Michael Rosenfeld3ccbebb2021-02-10 18:45:35 -0800257
Yi-Yo Chiang694ab792021-04-09 13:39:20 +0800258# Allow ReadDefaultFstab() for CTS.
259read_fstab(shell)
Nikita Ioffe681ad262021-06-10 15:37:25 +0100260
261# Allow shell read access to /apex/apex-info-list.xml for CTS.
262allow shell apex_info_file:file r_file_perms;
Jiyong Parkf4083712021-07-10 14:35:06 +0900263
Alan Stokes39f49702021-09-02 11:10:59 +0100264# Let the shell user call virtualizationservice (and
265# virtualizationservice call back to shell) for debugging.
266virtualizationservice_use(shell)
Evan Rosky5cfdf2b2022-03-02 22:13:58 +0000267
268# Allow shell to set persist.wm.debug properties
269userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)')
Mitch Phillips8cd32cd2022-03-22 15:59:57 -0700270
271# Allow shell to write GWP-ASan properties even on user builds.
272set_prop(shell, gwp_asan_prop)
Alexander Roederer829d9742023-03-23 02:19:22 +0000273
274# Allow shell to set persist.sysui.notification.builder_extras_override property
275userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)')
Alexander Roederer584a8622023-05-31 21:25:50 +0000276# Allow shell to set persist.sysui.notification.ranking_update_ashmem property
277userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)')
Alexander Roederer829d9742023-03-23 02:19:22 +0000278
Wilson Sung679b7cb2023-09-12 11:24:05 +0800279# Allow shell to read the build properties for attestation feature
280get_prop(shell, build_attestation_prop)
281
Yu-Ting Tseng7dea3a32024-07-10 01:48:59 +0000282# Allow shell to execute oatdump.
Yu-Ting Tseng46e40492024-07-09 19:03:39 -0700283# TODO (b/350628688): Remove this once it's safe to do so.
Yu-Ting Tseng7dea3a32024-07-10 01:48:59 +0000284allow shell oatdump_exec:file rx_file_perms;
285
Inseob Kim75806ef2024-03-27 17:18:41 +0900286# Create and use network sockets.
287net_domain(shell)
288
289# logcat
290read_logd(shell)
291control_logd(shell)
292get_prop(shell, logd_prop)
293# logcat -L (directly, or via dumpstate)
294allow shell pstorefs:dir search;
295allow shell pstorefs:file r_file_perms;
296
297# Root fs.
298allow shell rootfs:dir r_dir_perms;
299
300# read files in /data/anr
301allow shell anr_data_file:dir r_dir_perms;
302allow shell anr_data_file:file r_file_perms;
303
304# Access /data/local/tmp.
305allow shell shell_data_file:dir create_dir_perms;
306allow shell shell_data_file:file create_file_perms;
307allow shell shell_data_file:file rx_file_perms;
308allow shell shell_data_file:lnk_file create_file_perms;
309
310# Access /data/local/tests.
311allow shell shell_test_data_file:dir create_dir_perms;
312allow shell shell_test_data_file:file create_file_perms;
313allow shell shell_test_data_file:file rx_file_perms;
314allow shell shell_test_data_file:lnk_file create_file_perms;
315allow shell shell_test_data_file:sock_file create_file_perms;
316
317# Read and delete from /data/local/traces.
318allow shell trace_data_file:file { r_file_perms unlink };
319allow shell trace_data_file:dir { r_dir_perms remove_name write };
320
321# Access /data/misc/profman.
322allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
323allow shell profman_dump_data_file:file { unlink r_file_perms };
324
325# Read/execute files in /data/nativetest
326userdebug_or_eng(`
327 allow shell nativetest_data_file:dir r_dir_perms;
328 allow shell nativetest_data_file:file rx_file_perms;
329')
330
331# adb bugreport
332unix_socket_connect(shell, dumpstate, dumpstate)
333
334allow shell devpts:chr_file rw_file_perms;
335allow shell tty_device:chr_file rw_file_perms;
336allow shell console_device:chr_file rw_file_perms;
337
338allow shell input_device:dir r_dir_perms;
339allow shell input_device:chr_file r_file_perms;
340
341r_dir_file(shell, system_file)
342allow shell system_file:file x_file_perms;
343allow shell toolbox_exec:file rx_file_perms;
344allow shell shell_exec:file rx_file_perms;
345allow shell zygote_exec:file rx_file_perms;
346
347userdebug_or_eng(`
348 # "systrace --boot" support - allow boottrace service to run
349 allow shell boottrace_data_file:dir rw_dir_perms;
350 allow shell boottrace_data_file:file create_file_perms;
351')
352
353# allow shell access to services
354allow shell servicemanager:service_manager list;
355# don't allow shell to access GateKeeper service
356# TODO: why is this so broad? Tightening candidate? It needs at list:
357# - dumpstate_service (so it can receive dumpstate progress updates)
358allow shell {
359 service_manager_type
360 -apex_service
361 -dnsresolver_service
362 -gatekeeper_service
363 -hal_keymint_service
364 -hal_secureclock_service
365 -hal_sharedsecret_service
366 -incident_service
367 -installd_service
368 -mdns_service
369 -netd_service
370 -system_suspend_control_internal_service
371 -system_suspend_control_service
372 -virtual_touchpad_service
373 -vold_service
374 -default_android_service
Alice Wang4877bed2024-06-27 14:12:10 +0000375 -virtualization_service
Inseob Kim75806ef2024-03-27 17:18:41 +0900376}:service_manager find;
377allow shell dumpstate:binder call;
378
379# allow shell to get information from hwservicemanager
380# for instance, listing hardware services with lshal
381hwbinder_use(shell)
382allow shell hwservicemanager:hwservice_manager list;
383
384# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
385r_dir_file(shell, proc_net_type)
386
387allow shell {
388 proc_asound
T.J. Mercier716260a2024-04-26 18:28:28 +0000389 proc_cgroups
Inseob Kim75806ef2024-03-27 17:18:41 +0900390 proc_filesystems
391 proc_interrupts
392 proc_loadavg # b/124024827
393 proc_meminfo
394 proc_modules
395 proc_pid_max
396 proc_slabinfo
397 proc_stat
398 proc_timer
399 proc_uptime
400 proc_version
401 proc_vmstat
402 proc_zoneinfo
403}:file r_file_perms;
404
405# allow listing network interfaces under /sys/class/net.
406allow shell sysfs_net:dir r_dir_perms;
407
408r_dir_file(shell, cgroup)
409allow shell cgroup_desc_file:file r_file_perms;
Inseob Kim75806ef2024-03-27 17:18:41 +0900410allow shell vendor_cgroup_desc_file:file r_file_perms;
411r_dir_file(shell, cgroup_v2)
412allow shell domain:dir { search open read getattr };
413allow shell domain:{ file lnk_file } { open read getattr };
414
415# statvfs() of /proc and other labeled filesystems
416# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
417allow shell { proc labeledfs }:filesystem getattr;
418
419# stat() of /dev
420allow shell device:dir getattr;
421
422# allow shell to read /proc/pid/attr/current for ps -Z
423allow shell domain:process getattr;
424
425# Allow pulling the SELinux policy for CTS purposes
426allow shell selinuxfs:dir r_dir_perms;
427allow shell selinuxfs:file r_file_perms;
428
429# enable shell domain to read/write files/dirs for bootchart data
430# User will creates the start and stop file via adb shell
431# and read other files created by init process under /data/bootchart
432allow shell bootchart_data_file:dir rw_dir_perms;
433allow shell bootchart_data_file:file create_file_perms;
434
435# Make sure strace works for the non-privileged shell user
436allow shell self:process ptrace;
437
438# allow shell to get battery info
439allow shell sysfs:dir r_dir_perms;
440allow shell sysfs_batteryinfo:dir r_dir_perms;
441allow shell sysfs_batteryinfo:file r_file_perms;
442
T.J. Mercier12878e52024-04-26 19:27:06 +0000443# Allow reads (but not writes) of the MGLRU state
444allow shell sysfs_lru_gen_enabled:file r_file_perms;
445
Yi-Yo Chiang15bdfcb2024-05-10 18:01:47 +0800446# Allow communicating with the VM terminal.
447userdebug_or_eng(`
448 allow shell vmlauncher_app_devpts:chr_file rw_file_perms;
449 allowxperm shell vmlauncher_app_devpts:chr_file ioctl unpriv_tty_ioctls;
450')
451
Jaewan Kim168e04d2024-06-17 09:29:05 +0000452# Allow CTS to check whether AVF debug policy is installed
453allow shell { proc_dt_avf sysfs_dt_avf }:dir search;
454
Inseob Kim75806ef2024-03-27 17:18:41 +0900455# Allow access to ion memory allocation device.
456allow shell ion_device:chr_file rw_file_perms;
457
458#
459# filesystem test for insecure chr_file's is done
460# via a host side test
461#
462allow shell dev_type:dir r_dir_perms;
463allow shell dev_type:chr_file getattr;
464
465# /dev/fd is a symlink
466allow shell proc:lnk_file getattr;
467
468#
469# filesystem test for insucre blk_file's is done
470# via hostside test
471#
472allow shell dev_type:blk_file getattr;
473
474# read selinux policy files
475allow shell file_contexts_file:file r_file_perms;
476allow shell property_contexts_file:file r_file_perms;
477allow shell seapp_contexts_file:file r_file_perms;
478allow shell service_contexts_file:file r_file_perms;
479allow shell sepolicy_file:file r_file_perms;
480
481# Allow shell to start up vendor shell
482allow shell vendor_shell_exec:file rx_file_perms;
483
Jeongik Cha3335a042024-06-14 14:28:42 +0900484is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, `
Jeongik Cha4c36b702024-10-08 17:08:11 +0900485 allow shell linux_vm_setup_exec:file { entrypoint r_file_perms };
Jeongik Cha3335a042024-06-14 14:28:42 +0900486')
487
Nikita Ioffe48966b62024-10-22 14:01:17 +0000488allow shell tee_service_contexts_file:file r_file_perms;
Nikita Ioffe477e8f72024-10-24 12:46:00 +0000489allow shell test_pkvm_tee_service:tee_service use;
Nikita Ioffe48966b62024-10-22 14:01:17 +0000490
Inseob Kim75806ef2024-03-27 17:18:41 +0900491# Everything is labeled as rootfs in recovery mode. Allow shell to
492# execute them.
493recovery_only(`
494 allow shell rootfs:file rx_file_perms;
495')
496
497###
498### Neverallow rules
499###
500
501# Do not allow shell to talk directly to security HAL services other than
502# hal_remotelyprovisionedcomponent_service
503neverallow shell {
504 hal_keymint_service
505 hal_secureclock_service
506 hal_sharedsecret_service
Alice Wang4877bed2024-06-27 14:12:10 +0000507 virtualization_service
Inseob Kim75806ef2024-03-27 17:18:41 +0900508}:service_manager find;
509
510# Do not allow shell to hard link to any files.
511# In particular, if shell hard links to app data
512# files, installd will not be able to guarantee the deletion
513# of the linked to file. Hard links also contribute to security
514# bugs, so we want to ensure the shell user never has this
515# capability.
516neverallow shell file_type:file link;
517
518# Do not allow privileged socket ioctl commands
519neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
520
521# limit shell access to sensitive char drivers to
522# only getattr required for host side test.
523neverallow shell {
524 fuse_device
525 hw_random_device
526 port_device
527}:chr_file ~getattr;
528
529# Limit shell to only getattr on blk devices for host side tests.
530neverallow shell dev_type:blk_file ~getattr;
531
532# b/30861057: Shell access to existing input devices is an abuse
533# vector. The shell user can inject events that look like they
534# originate from the touchscreen etc.
535# Everyone should have already moved to UiAutomation#injectInputEvent
536# if they are running instrumentation tests (i.e. CTS), Monkey for
537# their stress tests, and the input command (adb shell input ...) for
538# injecting swipes and things.
539neverallow shell input_device:chr_file no_w_file_perms;
540
541neverallow shell self:perf_event ~{ open read write kernel };
542
543# Never allow others to set or get the perf.drop_caches property.
544neverallow { domain -shell -init } perf_drop_caches_prop:property_service set;
545neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;