public/shell.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # Domain for shell processes spawned by ADB or console service.
 type shell, domain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;

 # Create and use network sockets.
 net_domain(shell)

 # logcat
 read_logd(shell)
 control_logd(shell)
 # logcat -L (directly, or via dumpstate)
 allow shell pstorefs:dir search;
 allow shell pstorefs:file r_file_perms;

 # Root fs.
 allow shell rootfs:dir r_dir_perms;

 # read files in /data/anr
 allow shell anr_data_file:dir r_dir_perms;
 allow shell anr_data_file:file r_file_perms;

 # Access /data/local/tmp.
 allow shell shell_data_file:dir create_dir_perms;
 allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;

 # Access /data/misc/profman.
 allow shell profman_dump_data_file:dir { search getattr write remove_name };
 allow shell profman_dump_data_file:file { getattr unlink };

 # Read/execute files in /data/nativetest
 userdebug_or_eng(`
   allow shell nativetest_data_file:dir r_dir_perms;
   allow shell nativetest_data_file:file rx_file_perms;
 ')

 # adb bugreport
 unix_socket_connect(shell, dumpstate, dumpstate)

 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;
 allow shell input_device:dir r_dir_perms;
 allow shell input_device:chr_file rw_file_perms;
 r_dir_file(shell, system_file)
 allow shell system_file:file x_file_perms;
 allow shell toolbox_exec:file rx_file_perms;
 allow shell tzdatacheck_exec:file rx_file_perms;
 allow shell shell_exec:file rx_file_perms;
 allow shell zygote_exec:file rx_file_perms;

 r_dir_file(shell, apk_data_file)

 # Set properties.
 set_prop(shell, shell_prop)
 set_prop(shell, ctl_bugreport_prop)
 set_prop(shell, ctl_dumpstate_prop)
 set_prop(shell, dumpstate_prop)
 set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)
 set_prop(shell, log_tag_prop)
 set_prop(shell, wifi_log_prop)
 # adjust is_loggable properties
 userdebug_or_eng(`set_prop(shell, log_prop)')
 # logpersist script
 userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')

 userdebug_or_eng(`
   # "systrace --boot" support - allow boottrace service to run
   allow shell boottrace_data_file:dir rw_dir_perms;
   allow shell boottrace_data_file:file create_file_perms;
   set_prop(shell, persist_debug_prop)
 ')

 # Read device's serial number from system properties
 get_prop(shell, serialno_prop)

 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
 # TODO: why is this so broad? Tightening candidate? It needs at list:
 # - dumpstate_service (so it can receive dumpstate progress updates)
 allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service }:service_manager find;
 allow shell dumpstate:binder call;

 # allow shell to get information from hwservicemanager
 # for instance, listing hardware services with lshal
 hwbinder_use(shell)

 # allow shell to look through /proc/ for ps, top, netstat
 r_dir_file(shell, proc)
 r_dir_file(shell, proc_net)
 allow shell proc_interrupts:file r_file_perms;
 allow shell proc_meminfo:file r_file_perms;
 allow shell proc_stat:file r_file_perms;
 allow shell proc_timer:file r_file_perms;
 allow shell proc_zoneinfo:file r_file_perms;
 r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };

 # statvfs() of /proc and other labeled filesystems
 # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
 allow shell { proc labeledfs }:filesystem getattr;

 # stat() of /dev
 allow shell device:dir getattr;

 # allow shell to read /proc/pid/attr/current for ps -Z
 allow shell domain:process getattr;

 # Allow pulling the SELinux policy for CTS purposes
 allow shell selinuxfs:dir r_dir_perms;
 allow shell selinuxfs:file r_file_perms;

 # enable shell domain to read/write files/dirs for bootchart data
 # User will creates the start and stop file via adb shell
 # and read other files created by init process under /data/bootchart
 allow shell bootchart_data_file:dir rw_dir_perms;
 allow shell bootchart_data_file:file create_file_perms;

 # Make sure strace works for the non-privileged shell user
 allow shell self:process ptrace;

 # allow shell to get battery info
 allow shell sysfs_batteryinfo:file r_file_perms;
 allow shell sysfs:dir r_dir_perms;

 # Allow access to ion memory allocation device.
 allow shell ion_device:chr_file rw_file_perms;

 #
 # filesystem test for insecure chr_file's is done
 # via a host side test
 #
 allow shell dev_type:dir r_dir_perms;
 allow shell dev_type:chr_file getattr;

 # /dev/fd is a symlink
 allow shell proc:lnk_file getattr;

 #
 # filesystem test for insucre blk_file's is done
 # via hostside test
 #
 allow shell dev_type:blk_file getattr;

 ###
 ### Neverallow rules
 ###

 # Do not allow shell to hard link to any files.
 # In particular, if shell hard links to app data
 # files, installd will not be able to guarantee the deletion
 # of the linked to file. Hard links also contribute to security
 # bugs, so we want to ensure the shell user never has this
 # capability.
 neverallow shell file_type:file link;

 # Do not allow privileged socket ioctl commands
 neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

 # limit shell access to sensitive char drivers to
 # only getattr required for host side test.
 neverallow shell {
   fuse_device
   hw_random_device
   kmem_device
   port_device
 }:chr_file ~getattr;

 # Limit shell to only getattr on blk devices for host side tests.
 neverallow shell dev_type:blk_file ~getattr;
	# Domain for shell processes spawned by ADB or console service.
	type shell, domain, mlstrustedsubject;
	type shell_exec, exec_type, file_type;

	# Create and use network sockets.
	net_domain(shell)

	# logcat
	read_logd(shell)
	control_logd(shell)
	# logcat -L (directly, or via dumpstate)
	allow shell pstorefs:dir search;
	allow shell pstorefs:file r_file_perms;

	# Root fs.
	allow shell rootfs:dir r_dir_perms;

	# read files in /data/anr
	allow shell anr_data_file:dir r_dir_perms;
	allow shell anr_data_file:file r_file_perms;

	# Access /data/local/tmp.
	allow shell shell_data_file:dir create_dir_perms;
	allow shell shell_data_file:file create_file_perms;
	allow shell shell_data_file:file rx_file_perms;
	allow shell shell_data_file:lnk_file create_file_perms;

	# Access /data/misc/profman.
	allow shell profman_dump_data_file:dir { search getattr write remove_name };
	allow shell profman_dump_data_file:file { getattr unlink };

	# Read/execute files in /data/nativetest
	userdebug_or_eng(`
	allow shell nativetest_data_file:dir r_dir_perms;
	allow shell nativetest_data_file:file rx_file_perms;
	')

	# adb bugreport
	unix_socket_connect(shell, dumpstate, dumpstate)

	allow shell devpts:chr_file rw_file_perms;
	allow shell tty_device:chr_file rw_file_perms;
	allow shell console_device:chr_file rw_file_perms;
	allow shell input_device:dir r_dir_perms;
	allow shell input_device:chr_file rw_file_perms;
	r_dir_file(shell, system_file)
	allow shell system_file:file x_file_perms;
	allow shell toolbox_exec:file rx_file_perms;
	allow shell tzdatacheck_exec:file rx_file_perms;
	allow shell shell_exec:file rx_file_perms;
	allow shell zygote_exec:file rx_file_perms;

	r_dir_file(shell, apk_data_file)

	# Set properties.
	set_prop(shell, shell_prop)
	set_prop(shell, ctl_bugreport_prop)
	set_prop(shell, ctl_dumpstate_prop)
	set_prop(shell, dumpstate_prop)
	set_prop(shell, debug_prop)
	set_prop(shell, powerctl_prop)
	set_prop(shell, log_tag_prop)
	set_prop(shell, wifi_log_prop)
	# adjust is_loggable properties
	userdebug_or_eng(`set_prop(shell, log_prop)')
	# logpersist script
	userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')

	userdebug_or_eng(`
	# "systrace --boot" support - allow boottrace service to run
	allow shell boottrace_data_file:dir rw_dir_perms;
	allow shell boottrace_data_file:file create_file_perms;
	set_prop(shell, persist_debug_prop)
	')

	# Read device's serial number from system properties
	get_prop(shell, serialno_prop)

	# allow shell access to services
	allow shell servicemanager:service_manager list;
	# don't allow shell to access GateKeeper service
	# TODO: why is this so broad? Tightening candidate? It needs at list:
	# - dumpstate_service (so it can receive dumpstate progress updates)
	allow shell { service_manager_type -gatekeeper_service -incident_service -installd_service -netd_service -virtual_touchpad_service }:service_manager find;
	allow shell dumpstate:binder call;

	# allow shell to get information from hwservicemanager
	# for instance, listing hardware services with lshal
	hwbinder_use(shell)

	# allow shell to look through /proc/ for ps, top, netstat
	r_dir_file(shell, proc)
	r_dir_file(shell, proc_net)
	allow shell proc_interrupts:file r_file_perms;
	allow shell proc_meminfo:file r_file_perms;
	allow shell proc_stat:file r_file_perms;
	allow shell proc_timer:file r_file_perms;
	allow shell proc_zoneinfo:file r_file_perms;
	r_dir_file(shell, cgroup)
	allow shell domain:dir { search open read getattr };
	allow shell domain:{ file lnk_file } { open read getattr };

	# statvfs() of /proc and other labeled filesystems
	# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
	allow shell { proc labeledfs }:filesystem getattr;

	# stat() of /dev
	allow shell device:dir getattr;

	# allow shell to read /proc/pid/attr/current for ps -Z
	allow shell domain:process getattr;

	# Allow pulling the SELinux policy for CTS purposes
	allow shell selinuxfs:dir r_dir_perms;
	allow shell selinuxfs:file r_file_perms;

	# enable shell domain to read/write files/dirs for bootchart data
	# User will creates the start and stop file via adb shell
	# and read other files created by init process under /data/bootchart
	allow shell bootchart_data_file:dir rw_dir_perms;
	allow shell bootchart_data_file:file create_file_perms;

	# Make sure strace works for the non-privileged shell user
	allow shell self:process ptrace;

	# allow shell to get battery info
	allow shell sysfs_batteryinfo:file r_file_perms;
	allow shell sysfs:dir r_dir_perms;

	# Allow access to ion memory allocation device.
	allow shell ion_device:chr_file rw_file_perms;

	#
	# filesystem test for insecure chr_file's is done
	# via a host side test
	#
	allow shell dev_type:dir r_dir_perms;
	allow shell dev_type:chr_file getattr;

	# /dev/fd is a symlink
	allow shell proc:lnk_file getattr;

	#
	# filesystem test for insucre blk_file's is done
	# via hostside test
	#
	allow shell dev_type:blk_file getattr;

	###
	### Neverallow rules
	###

	# Do not allow shell to hard link to any files.
	# In particular, if shell hard links to app data
	# files, installd will not be able to guarantee the deletion
	# of the linked to file. Hard links also contribute to security
	# bugs, so we want to ensure the shell user never has this
	# capability.
	neverallow shell file_type:file link;

	# Do not allow privileged socket ioctl commands
	neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

	# limit shell access to sensitive char drivers to
	# only getattr required for host side test.
	neverallow shell {
	fuse_device
	hw_random_device
	kmem_device
	port_device
	}:chr_file ~getattr;

	# Limit shell to only getattr on blk devices for host side tests.
	neverallow shell dev_type:blk_file ~getattr;