Stephen Smalley | b3cb969 | 2014-02-21 13:45:29 -0500 | [diff] [blame] | 1 | # Domain for shell processes spawned by ADB or console service. |
Stephen Smalley | 42fb824 | 2014-06-11 07:10:09 -0400 | [diff] [blame] | 2 | type shell, domain, mlstrustedsubject; |
Stephen Smalley | 0130154 | 2013-09-27 10:38:14 -0400 | [diff] [blame] | 3 | type shell_exec, exec_type, file_type; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 4 | |
Stephen Smalley | 396015c | 2014-01-07 12:47:10 -0500 | [diff] [blame] | 5 | # Create and use network sockets. |
| 6 | net_domain(shell) |
| 7 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 8 | # Run app_process. |
Stephen Smalley | 712ca0a | 2013-10-23 13:25:53 -0400 | [diff] [blame] | 9 | # XXX Transition into its own domain? |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 10 | app_domain(shell) |
Stephen Smalley | d99e6d5 | 2013-12-02 14:18:11 -0500 | [diff] [blame] | 11 | |
Mark Salyzyn | 34d32ea | 2014-12-15 12:01:35 -0800 | [diff] [blame] | 12 | # logcat |
Mark Salyzyn | ad5315d | 2014-03-17 13:00:38 -0700 | [diff] [blame] | 13 | read_logd(shell) |
| 14 | control_logd(shell) |
Mark Salyzyn | 34d32ea | 2014-12-15 12:01:35 -0800 | [diff] [blame] | 15 | # logcat -L (directly, or via dumpstate) |
| 16 | allow shell pstorefs:dir search; |
| 17 | allow shell pstorefs:file r_file_perms; |
Mark Salyzyn | 7e0838a | 2015-05-26 15:12:45 -0700 | [diff] [blame] | 18 | # logpersistd (nee logcatd) files |
| 19 | allow shell misc_logd_file:dir r_dir_perms; |
| 20 | allow shell misc_logd_file:file r_file_perms; |
Mark Salyzyn | ad5315d | 2014-03-17 13:00:38 -0700 | [diff] [blame] | 21 | |
Nick Kralevich | 4fd4a20 | 2014-06-05 13:27:44 -0700 | [diff] [blame] | 22 | # read files in /data/anr |
| 23 | allow shell anr_data_file:dir r_dir_perms; |
| 24 | allow shell anr_data_file:file r_file_perms; |
| 25 | |
Stephen Smalley | 42fb824 | 2014-06-11 07:10:09 -0400 | [diff] [blame] | 26 | # Access /data/local/tmp. |
| 27 | allow shell shell_data_file:dir create_dir_perms; |
| 28 | allow shell shell_data_file:file create_file_perms; |
| 29 | allow shell shell_data_file:file rx_file_perms; |
Brian Carlstrom | fc6214b | 2014-12-09 23:49:31 -0800 | [diff] [blame] | 30 | allow shell shell_data_file:lnk_file create_file_perms; |
Stephen Smalley | 42fb824 | 2014-06-11 07:10:09 -0400 | [diff] [blame] | 31 | |
| 32 | # adb bugreport |
| 33 | unix_socket_connect(shell, dumpstate, dumpstate) |
| 34 | |
Stephen Smalley | 42fb824 | 2014-06-11 07:10:09 -0400 | [diff] [blame] | 35 | allow shell devpts:chr_file rw_file_perms; |
| 36 | allow shell tty_device:chr_file rw_file_perms; |
| 37 | allow shell console_device:chr_file rw_file_perms; |
Stephen Smalley | a2e4e26 | 2014-06-11 12:09:15 -0400 | [diff] [blame] | 38 | allow shell input_device:dir r_dir_perms; |
Stephen Smalley | 42fb824 | 2014-06-11 07:10:09 -0400 | [diff] [blame] | 39 | allow shell input_device:chr_file rw_file_perms; |
| 40 | allow shell system_file:file x_file_perms; |
| 41 | allow shell shell_exec:file rx_file_perms; |
| 42 | allow shell zygote_exec:file rx_file_perms; |
| 43 | |
| 44 | r_dir_file(shell, apk_data_file) |
| 45 | |
| 46 | # Set properties. |
William Roberts | 2f5a6a9 | 2015-05-04 18:22:45 -0700 | [diff] [blame] | 47 | set_prop(shell, shell_prop) |
| 48 | set_prop(shell, ctl_dumpstate_prop) |
| 49 | set_prop(shell, debug_prop) |
| 50 | set_prop(shell, powerctl_prop) |
Stephen Smalley | 42fb824 | 2014-06-11 07:10:09 -0400 | [diff] [blame] | 51 | |
| 52 | # systrace support - allow atrace to run |
| 53 | # debugfs doesn't support labeling individual files, so we have |
| 54 | # to grant read access to all of /sys/kernel/debug. |
| 55 | # Directory read access and file write access is already granted |
| 56 | # in domain.te. |
| 57 | allow shell debugfs:file r_file_perms; |
| 58 | |
| 59 | # allow shell to run dmesg |
| 60 | allow shell kernel:system syslog_read; |
dcashman | 0780f30 | 2014-12-30 15:21:50 -0800 | [diff] [blame] | 61 | |
dcashman | 5fef2de | 2015-01-23 15:55:42 -0800 | [diff] [blame] | 62 | # allow shell access to services |
dcashman | 0780f30 | 2014-12-30 15:21:50 -0800 | [diff] [blame] | 63 | allow shell servicemanager:service_manager list; |
Andres Morales | e207986 | 2015-04-03 16:46:33 -0700 | [diff] [blame] | 64 | # don't allow shell to access GateKeeper service |
| 65 | allow shell { service_manager_type -gatekeeper_service }:service_manager find; |
dcashman | 25fef2e | 2015-01-16 13:39:59 -0800 | [diff] [blame] | 66 | |
| 67 | # allow shell to look through /proc/ for ps, top |
| 68 | allow shell domain:dir { search open read getattr }; |
| 69 | allow shell domain:{ file lnk_file } { open read getattr }; |
Yongqin Liu | cc38e6d | 2014-12-05 13:40:22 +0800 | [diff] [blame] | 70 | |
Stephen Smalley | d5892b4 | 2015-03-16 11:43:22 -0400 | [diff] [blame] | 71 | # allow shell to read /proc/pid/attr/current for ps -Z |
| 72 | allow shell domain:process getattr; |
| 73 | |
Yongqin Liu | cc38e6d | 2014-12-05 13:40:22 +0800 | [diff] [blame] | 74 | # enable shell domain to read/write files/dirs for bootchart data |
| 75 | # User will creates the start and stop file via adb shell |
| 76 | # and read other files created by init process under /data/bootchart |
| 77 | allow shell bootchart_data_file:dir rw_dir_perms; |
| 78 | allow shell bootchart_data_file:file create_file_perms; |
Nick Kralevich | e0c8da2 | 2015-04-16 08:43:10 -0700 | [diff] [blame] | 79 | |
Jeff Vander Stoep | c47a11b | 2016-01-05 13:16:34 -0800 | [diff] [blame] | 80 | # only allow unprivileged socket ioctl commands |
| 81 | allow shell self:{ rawip_socket tcp_socket udp_socket } unpriv_sock_ioctls; |
| 82 | |
Nick Kralevich | e0c8da2 | 2015-04-16 08:43:10 -0700 | [diff] [blame] | 83 | # Do not allow shell to hard link to any files. |
| 84 | # In particular, if shell hard links to app data |
| 85 | # files, installd will not be able to guarantee the deletion |
| 86 | # of the linked to file. Hard links also contribute to security |
| 87 | # bugs, so we want to ensure the shell user never has this |
| 88 | # capability. |
| 89 | neverallow shell file_type:file link; |