Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / refs/heads/android-15 / . / microdroid / system / private / shell.te
blob: ba887705093ed7c7cc2804949dc24c1c429a9eb0 [file] [log] [blame]
Alan Stokes7bde36e2022-03-09 16:41:06 +0000[diff] [blame]1typeattribute shell coredomain;
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]2
Inseob Kim9bad60c2024-03-28 15:23:18 +0900[diff] [blame]3# Root fs.
4allow shell rootfs:dir r_dir_perms;
5
6# Access /data/local/tmp.
7allow shell shell_data_file:dir create_dir_perms;
8allow shell shell_data_file:file create_file_perms;
9allow shell shell_data_file:file rx_file_perms;
10allow shell shell_data_file:lnk_file create_file_perms;
11
12allow shell devpts:chr_file rw_file_perms;
13allow shell tty_device:chr_file rw_file_perms;
14allow shell console_device:chr_file rw_file_perms;
15
16r_dir_file(shell, system_file)
17allow shell system_file:file x_file_perms;
18allow shell toolbox_exec:file rx_file_perms;
19allow shell shell_exec:file rx_file_perms;
20
21# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
22r_dir_file(shell, proc_net_type)
23
24allow shell {
25 proc_asound
26 proc_filesystems
27 proc_interrupts
28 proc_loadavg # b/124024827
29 proc_meminfo
30 proc_modules
31 proc_pid_max
32 proc_slabinfo
33 proc_stat
34 proc_timer
35 proc_uptime
36 proc_version
37 proc_vmstat
38 proc_zoneinfo
39}:file r_file_perms;
40
41# allow listing network interfaces under /sys/class/net.
42allow shell sysfs_net:dir r_dir_perms;
43
44r_dir_file(shell, cgroup)
45allow shell cgroup_desc_file:file r_file_perms;
Inseob Kim9bad60c2024-03-28 15:23:18 +0900[diff] [blame]46r_dir_file(shell, cgroup_v2)
47allow shell domain:dir { search open read getattr };
48allow shell domain:{ file lnk_file } { open read getattr };
49
50# statvfs() of /proc and other labeled filesystems
51# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
52allow shell { proc labeledfs }:filesystem getattr;
53
54# stat() of /dev
55allow shell device:dir getattr;
56
57# allow shell to read /proc/pid/attr/current for ps -Z
58allow shell domain:process getattr;
59
60# Allow pulling the SELinux policy for CTS purposes
61allow shell selinuxfs:dir r_dir_perms;
62allow shell selinuxfs:file r_file_perms;
63
64# /dev/fd is a symlink
65allow shell proc:lnk_file getattr;
66
67# read selinux policy files
68allow shell file_contexts_file:file r_file_perms;
69allow shell property_contexts_file:file r_file_perms;
70allow shell service_contexts_file:file r_file_perms;
71allow shell sepolicy_file:file r_file_perms;
72
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]73# Perform SELinux access checks, needed for CTS
74selinux_check_access(shell)
75selinux_check_context(shell)
76
77# Allow shell to run adb shell cmd stats commands. Needed for CTS.
78binder_call(shell, statsd);
79
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]80# Connect to adbd and use a socket transferred from it.
81# This is used for e.g. adb backup/restore.
82allow shell adbd:unix_stream_socket connectto;
83allow shell adbd:fd use;
84allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
85
86# filesystem test for insecure chr_file's is done
87# via a host side test
88allow shell dev_type:dir r_dir_perms;
89allow shell dev_type:chr_file getattr;
90
91# filesystem test for insucre blk_file's is done
92# via hostside test
93allow shell dev_type:blk_file getattr;
Inseob Kim76876002021-08-05 02:05:16 +0000[diff] [blame]94
95# Test tool automatically tries to access /sys/class/power_supply.
96# Suppressing it as we don't need power_supply in microdroid.
97dontaudit shell sysfs:dir r_dir_perms;
Inseob Kim5ee61a72021-09-17 19:31:45 +0900[diff] [blame]98
99# Test tool tries to read various service status properties.
Victor Hsieha62b3ff2022-05-02 09:47:11 -0700[diff] [blame]100get_prop(shell, boot_status_prop)
Inseob Kim5ee61a72021-09-17 19:31:45 +0900[diff] [blame]101get_prop(shell, init_service_status_prop)
102get_prop(shell, init_service_status_private_prop)
103
104set_prop(shell, log_tag_prop)