blob: 0ce2cc41fc100710f6527562fdad2be39591c85a [file] [log] [blame]
Stephen Smalleyb3cb9692014-02-21 13:45:29 -05001# Domain for shell processes spawned by ADB or console service.
Stephen Smalley42fb8242014-06-11 07:10:09 -04002type shell, domain, mlstrustedsubject;
Stephen Smalley01301542013-09-27 10:38:14 -04003type shell_exec, exec_type, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -05004
Stephen Smalley396015c2014-01-07 12:47:10 -05005# Create and use network sockets.
6net_domain(shell)
7
Stephen Smalley2dd4e512012-01-04 12:33:27 -05008# Run app_process.
Stephen Smalley712ca0a2013-10-23 13:25:53 -04009# XXX Transition into its own domain?
Stephen Smalley2dd4e512012-01-04 12:33:27 -050010app_domain(shell)
Stephen Smalleyd99e6d52013-12-02 14:18:11 -050011
Mark Salyzyn34d32ea2014-12-15 12:01:35 -080012# logcat
Mark Salyzynad5315d2014-03-17 13:00:38 -070013read_logd(shell)
14control_logd(shell)
Mark Salyzyn34d32ea2014-12-15 12:01:35 -080015# logcat -L (directly, or via dumpstate)
16allow shell pstorefs:dir search;
17allow shell pstorefs:file r_file_perms;
Mark Salyzynad5315d2014-03-17 13:00:38 -070018
Nick Kralevich4fd4a202014-06-05 13:27:44 -070019# read files in /data/anr
20allow shell anr_data_file:dir r_dir_perms;
21allow shell anr_data_file:file r_file_perms;
22
Stephen Smalley42fb8242014-06-11 07:10:09 -040023# Access /data/local/tmp.
24allow shell shell_data_file:dir create_dir_perms;
25allow shell shell_data_file:file create_file_perms;
26allow shell shell_data_file:file rx_file_perms;
Brian Carlstromfc6214b2014-12-09 23:49:31 -080027allow shell shell_data_file:lnk_file create_file_perms;
Stephen Smalley42fb8242014-06-11 07:10:09 -040028
29# adb bugreport
30unix_socket_connect(shell, dumpstate, dumpstate)
31
Stephen Smalley42fb8242014-06-11 07:10:09 -040032allow shell devpts:chr_file rw_file_perms;
33allow shell tty_device:chr_file rw_file_perms;
34allow shell console_device:chr_file rw_file_perms;
Stephen Smalleya2e4e262014-06-11 12:09:15 -040035allow shell input_device:dir r_dir_perms;
Stephen Smalley42fb8242014-06-11 07:10:09 -040036allow shell input_device:chr_file rw_file_perms;
37allow shell system_file:file x_file_perms;
38allow shell shell_exec:file rx_file_perms;
39allow shell zygote_exec:file rx_file_perms;
40
41r_dir_file(shell, apk_data_file)
42
43# Set properties.
44unix_socket_connect(shell, property, init)
45allow shell shell_prop:property_service set;
46allow shell ctl_dumpstate_prop:property_service set;
47allow shell debug_prop:property_service set;
48allow shell powerctl_prop:property_service set;
49
50# systrace support - allow atrace to run
51# debugfs doesn't support labeling individual files, so we have
52# to grant read access to all of /sys/kernel/debug.
53# Directory read access and file write access is already granted
54# in domain.te.
55allow shell debugfs:file r_file_perms;
56
57# allow shell to run dmesg
58allow shell kernel:system syslog_read;
dcashman0780f302014-12-30 15:21:50 -080059
dcashman5fef2de2015-01-23 15:55:42 -080060# allow shell access to services
dcashman0780f302014-12-30 15:21:50 -080061allow shell servicemanager:service_manager list;
Andres Moralese2079862015-04-03 16:46:33 -070062# don't allow shell to access GateKeeper service
63allow shell { service_manager_type -gatekeeper_service }:service_manager find;
dcashman23f33612015-03-03 11:20:15 -080064service_manager_local_audit_domain(shell)
dcashman25fef2e2015-01-16 13:39:59 -080065
66# allow shell to look through /proc/ for ps, top
67allow shell domain:dir { search open read getattr };
68allow shell domain:{ file lnk_file } { open read getattr };
Yongqin Liucc38e6d2014-12-05 13:40:22 +080069
Stephen Smalleyd5892b42015-03-16 11:43:22 -040070# allow shell to read /proc/pid/attr/current for ps -Z
71allow shell domain:process getattr;
72
Yongqin Liucc38e6d2014-12-05 13:40:22 +080073# enable shell domain to read/write files/dirs for bootchart data
74# User will creates the start and stop file via adb shell
75# and read other files created by init process under /data/bootchart
76allow shell bootchart_data_file:dir rw_dir_perms;
77allow shell bootchart_data_file:file create_file_perms;