1# Domain for shell processes spawned by ADB or console service. 2type shell, domain, mlstrustedsubject; 3type shell_exec, exec_type, file_type; 4 5# Create and use network sockets. 6net_domain(shell) 7 8# logcat 9read_logd(shell) 10control_logd(shell) 11# logcat -L (directly, or via dumpstate) 12allow shell pstorefs:dir search; 13allow shell pstorefs:file r_file_perms; 14 15# Root fs. 16allow shell rootfs:dir r_dir_perms; 17 18# read files in /data/anr 19allow shell anr_data_file:dir r_dir_perms; 20allow shell anr_data_file:file r_file_perms; 21 22# Access /data/local/tmp. 23allow shell shell_data_file:dir create_dir_perms; 24allow shell shell_data_file:file create_file_perms; 25allow shell shell_data_file:file rx_file_perms; 26allow shell shell_data_file:lnk_file create_file_perms; 27 28# Read and delete from /data/local/traces. 29allow shell trace_data_file:file { r_file_perms unlink }; 30allow shell trace_data_file:dir { r_dir_perms remove_name write }; 31 32# Access /data/misc/profman. 33allow shell profman_dump_data_file:dir { write remove_name r_dir_perms }; 34allow shell profman_dump_data_file:file { unlink r_file_perms }; 35 36# Read/execute files in /data/nativetest 37userdebug_or_eng(` 38 allow shell nativetest_data_file:dir r_dir_perms; 39 allow shell nativetest_data_file:file rx_file_perms; 40') 41 42# adb bugreport 43unix_socket_connect(shell, dumpstate, dumpstate) 44 45allow shell devpts:chr_file rw_file_perms; 46allow shell tty_device:chr_file rw_file_perms; 47allow shell console_device:chr_file rw_file_perms; 48allow shell input_device:dir r_dir_perms; 49allow shell input_device:chr_file rw_file_perms; 50r_dir_file(shell, system_file) 51allow shell system_file:file x_file_perms; 52allow shell toolbox_exec:file rx_file_perms; 53allow shell tzdatacheck_exec:file rx_file_perms; 54allow shell shell_exec:file rx_file_perms; 55allow shell zygote_exec:file rx_file_perms; 56 57r_dir_file(shell, apk_data_file) 58 59# Set properties. 60set_prop(shell, shell_prop) 61set_prop(shell, ctl_bugreport_prop) 62set_prop(shell, ctl_dumpstate_prop) 63set_prop(shell, dumpstate_prop) 64set_prop(shell, exported_dumpstate_prop) 65set_prop(shell, debug_prop) 66set_prop(shell, powerctl_prop) 67set_prop(shell, log_tag_prop) 68set_prop(shell, wifi_log_prop) 69# Allow shell to start/stop traced via the persist.traced.enable 70# property (which also takes care of /data/misc initialization). 71set_prop(shell, traced_enabled_prop) 72# adjust is_loggable properties 73userdebug_or_eng(`set_prop(shell, log_prop)') 74# logpersist script 75userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') 76 77userdebug_or_eng(` 78 # "systrace --boot" support - allow boottrace service to run 79 allow shell boottrace_data_file:dir rw_dir_perms; 80 allow shell boottrace_data_file:file create_file_perms; 81 set_prop(shell, persist_debug_prop) 82') 83 84# Read device's serial number from system properties 85get_prop(shell, serialno_prop) 86 87# Allow shell to read the vendor security patch level for CTS 88get_prop(shell, vendor_security_patch_level_prop) 89 90# Read state of logging-related properties 91get_prop(shell, device_logging_prop) 92 93# Read state of boot reason properties 94get_prop(shell, bootloader_boot_reason_prop) 95get_prop(shell, last_boot_reason_prop) 96get_prop(shell, system_boot_reason_prop) 97 98# allow shell access to services 99allow shell servicemanager:service_manager list; 100# don't allow shell to access GateKeeper service 101# TODO: why is this so broad? Tightening candidate? It needs at list: 102# - dumpstate_service (so it can receive dumpstate progress updates) 103allow shell { 104 service_manager_type 105 -gatekeeper_service 106 -incident_service 107 -installd_service 108 -netd_service 109 -virtual_touchpad_service 110 -vold_service 111 -vr_hwc_service 112}:service_manager find; 113allow shell dumpstate:binder call; 114 115# allow shell to get information from hwservicemanager 116# for instance, listing hardware services with lshal 117hwbinder_use(shell) 118allow shell hwservicemanager:hwservice_manager list; 119 120# allow shell to look through /proc/ for lsmod, ps, top, netstat. 121r_dir_file(shell, proc_net) 122 123allow shell { 124 proc_asound 125 proc_filesystems 126 proc_interrupts 127 proc_meminfo 128 proc_modules 129 proc_pid_max 130 proc_stat 131 proc_timer 132 proc_uptime 133 proc_version 134 proc_zoneinfo 135}:file r_file_perms; 136 137# allow listing network interfaces under /sys/class/net. 138allow shell sysfs_net:dir r_dir_perms; 139 140r_dir_file(shell, cgroup) 141allow shell domain:dir { search open read getattr }; 142allow shell domain:{ file lnk_file } { open read getattr }; 143 144# statvfs() of /proc and other labeled filesystems 145# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs) 146allow shell { proc labeledfs }:filesystem getattr; 147 148# stat() of /dev 149allow shell device:dir getattr; 150 151# allow shell to read /proc/pid/attr/current for ps -Z 152allow shell domain:process getattr; 153 154# Allow pulling the SELinux policy for CTS purposes 155allow shell selinuxfs:dir r_dir_perms; 156allow shell selinuxfs:file r_file_perms; 157 158# enable shell domain to read/write files/dirs for bootchart data 159# User will creates the start and stop file via adb shell 160# and read other files created by init process under /data/bootchart 161allow shell bootchart_data_file:dir rw_dir_perms; 162allow shell bootchart_data_file:file create_file_perms; 163 164# Make sure strace works for the non-privileged shell user 165allow shell self:process ptrace; 166 167# allow shell to get battery info 168allow shell sysfs:dir r_dir_perms; 169allow shell sysfs_batteryinfo:dir r_dir_perms; 170allow shell sysfs_batteryinfo:file r_file_perms; 171 172# Allow access to ion memory allocation device. 173allow shell ion_device:chr_file rw_file_perms; 174 175# 176# filesystem test for insecure chr_file's is done 177# via a host side test 178# 179allow shell dev_type:dir r_dir_perms; 180allow shell dev_type:chr_file getattr; 181 182# /dev/fd is a symlink 183allow shell proc:lnk_file getattr; 184 185# 186# filesystem test for insucre blk_file's is done 187# via hostside test 188# 189allow shell dev_type:blk_file getattr; 190 191# read selinux policy files 192allow shell file_contexts_file:file r_file_perms; 193allow shell property_contexts_file:file r_file_perms; 194allow shell seapp_contexts_file:file r_file_perms; 195allow shell service_contexts_file:file r_file_perms; 196allow shell sepolicy_file:file r_file_perms; 197 198# Allow shell to start up vendor shell 199allow shell vendor_shell_exec:file rx_file_perms; 200 201### 202### Neverallow rules 203### 204 205# Do not allow shell to hard link to any files. 206# In particular, if shell hard links to app data 207# files, installd will not be able to guarantee the deletion 208# of the linked to file. Hard links also contribute to security 209# bugs, so we want to ensure the shell user never has this 210# capability. 211neverallow shell file_type:file link; 212 213# Do not allow privileged socket ioctl commands 214neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 215 216# limit shell access to sensitive char drivers to 217# only getattr required for host side test. 218neverallow shell { 219 fuse_device 220 hw_random_device 221 kmem_device 222 port_device 223}:chr_file ~getattr; 224 225# Limit shell to only getattr on blk devices for host side tests. 226neverallow shell dev_type:blk_file ~getattr; 227