blob: b7b4e03ff5f6f5e4d6f02051dc5e2299aea44306 [file] [log] [blame]
# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
type shell_exec, exec_type, file_type;
# Create and use network sockets.
# Run app_process.
# XXX Transition into its own domain?
# logcat
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;
# logpersistd (nee logcatd) files
allow shell misc_logd_file:dir r_dir_perms;
allow shell misc_logd_file:file r_file_perms;
# Root fs.
allow shell rootfs:dir r_dir_perms;
# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
allow shell anr_data_file:file r_file_perms;
# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;
# Read/execute files in /data/nativetest
allow shell nativetest_data_file:dir r_dir_perms;
allow shell nativetest_data_file:file rx_file_perms;
# adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate)
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
allow shell input_device:dir r_dir_perms;
allow shell input_device:chr_file rw_file_perms;
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
r_dir_file(shell, apk_data_file)
# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
set_prop(shell, ctl_dumpstate_prop)
set_prop(shell, dumpstate_prop)
set_prop(shell, debug_prop)
set_prop(shell, powerctl_prop)
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;
allow shell boottrace_data_file:file create_file_perms;
set_prop(shell, persist_debug_prop)
# allow shell to run dmesg
allow shell kernel:system syslog_read;
# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
allow shell { service_manager_type -gatekeeper_service }:service_manager find;
# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
r_dir_file(shell, proc_net)
allow shell proc_interrupts:file r_file_perms;
allow shell proc_meminfo:file r_file_perms;
allow shell proc_stat:file r_file_perms;
allow shell proc_timer:file r_file_perms;
allow shell proc_zoneinfo:file r_file_perms;
r_dir_file(shell, cgroup)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
# statvfs() of /proc and other labeled filesystems
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
allow shell { proc labeledfs }:filesystem getattr;
# stat() of /dev
allow shell device:dir getattr;
# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;
# Allow pulling the SELinux policy for CTS purposes
allow shell selinuxfs:dir r_dir_perms;
allow shell selinuxfs:file r_file_perms;
# enable shell domain to read/write files/dirs for bootchart data
# User will creates the start and stop file via adb shell
# and read other files created by init process under /data/bootchart
allow shell bootchart_data_file:dir rw_dir_perms;
allow shell bootchart_data_file:file create_file_perms;
# Make sure strace works for the non-privileged shell user
allow shell self:process ptrace;
# allow shell to get battery info
allow shell sysfs_batteryinfo:file r_file_perms;
allow shell sysfs:dir r_dir_perms;
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
# filesystem test for insecure chr_file's is done
# via a host side test
allow shell dev_type:dir r_dir_perms;
allow shell dev_type:chr_file getattr;
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
# filesystem test for insucre blk_file's is done
# via hostside test
allow shell dev_type:blk_file getattr;
### Neverallow rules
# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure the shell user never has this
# capability.
neverallow shell file_type:file link;
# limit shell access to sensitive char drivers to
# only getattr required for host side test.
neverallow shell {
}:chr_file ~getattr;
# Limit shell to only getattr on blk devices for host side tests.
neverallow shell dev_type:blk_file ~getattr;