shell.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # Domain for shell processes spawned by ADB or console service.
 type shell, domain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;

 # Create and use network sockets.
 net_domain(shell)

 # Run app_process.
 # XXX Transition into its own domain?
 app_domain(shell)

 # logcat
 read_logd(shell)
 control_logd(shell)
 # logcat -L (directly, or via dumpstate)
 allow shell pstorefs:dir search;
 allow shell pstorefs:file r_file_perms;
 # logpersistd (nee logcatd) files
 userdebug_or_eng(`
   allow shell misc_logd_file:dir r_dir_perms;
   allow shell misc_logd_file:file r_file_perms;
 ')

 # Root fs.
 allow shell rootfs:dir r_dir_perms;

 # read files in /data/anr
 allow shell anr_data_file:dir r_dir_perms;
 allow shell anr_data_file:file r_file_perms;

 # Access /data/local/tmp.
 allow shell shell_data_file:dir create_dir_perms;
 allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;

 # Read/execute files in /data/nativetest
 userdebug_or_eng(`
   allow shell nativetest_data_file:dir r_dir_perms;
   allow shell nativetest_data_file:file rx_file_perms;
 ')

 # adb bugreport
 unix_socket_connect(shell, dumpstate, dumpstate)

 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;
 allow shell input_device:dir r_dir_perms;
 allow shell input_device:chr_file rw_file_perms;
 r_dir_file(shell, system_file)
 allow shell system_file:file x_file_perms;
 allow shell toolbox_exec:file rx_file_perms;
 allow shell shell_exec:file rx_file_perms;
 allow shell zygote_exec:file rx_file_perms;

 r_dir_file(shell, apk_data_file)

 # Set properties.
 set_prop(shell, shell_prop)
 set_prop(shell, ctl_bugreport_prop)
 set_prop(shell, ctl_dumpstate_prop)
 set_prop(shell, dumpstate_prop)
 set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)

 # systrace support - allow atrace to run
 allow shell debugfs_tracing:dir r_dir_perms;
 allow shell debugfs_tracing:file rw_file_perms;
 allow shell debugfs_trace_marker:file getattr;
 allow shell atrace_exec:file rx_file_perms;

 userdebug_or_eng(`
   # "systrace --boot" support - allow boottrace service to run
   allow shell boottrace_data_file:dir rw_dir_perms;
   allow shell boottrace_data_file:file create_file_perms;
   set_prop(shell, persist_debug_prop)
 ')

 # allow shell to run dmesg
 allow shell kernel:system syslog_read;

 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
 allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;

 # allow shell to look through /proc/ for ps, top, netstat
 r_dir_file(shell, proc)
 r_dir_file(shell, proc_net)
 allow shell proc_meminfo:file r_file_perms;
 r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };

 # statvfs() of /proc and other labeled filesystems
 # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
 allow shell { proc labeledfs }:filesystem getattr;

 # stat() of /dev
 allow shell device:dir getattr;

 # allow shell to read /proc/pid/attr/current for ps -Z
 allow shell domain:process getattr;

 # Allow pulling the SELinux policy for CTS purposes
 allow shell selinuxfs:dir r_dir_perms;
 allow shell selinuxfs:file r_file_perms;

 # enable shell domain to read/write files/dirs for bootchart data
 # User will creates the start and stop file via adb shell
 # and read other files created by init process under /data/bootchart
 allow shell bootchart_data_file:dir rw_dir_perms;
 allow shell bootchart_data_file:file create_file_perms;

 # Make sure strace works for the non-privileged shell user
 allow shell self:process ptrace;

 # allow shell to get battery info
 allow shell sysfs_batteryinfo:file r_file_perms;
 allow shell sysfs:dir r_dir_perms;

 # Allow access to ion memory allocation device.
 allow shell ion_device:chr_file rw_file_perms;

 # Access to /data/media.
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
 allow shell media_rw_data_file:dir create_dir_perms;
 allow shell media_rw_data_file:file create_file_perms;

 ###
 ### Neverallow rules
 ###

 # Do not allow shell to hard link to any files.
 # In particular, if shell hard links to app data
 # files, installd will not be able to guarantee the deletion
 # of the linked to file. Hard links also contribute to security
 # bugs, so we want to ensure the shell user never has this
 # capability.
 neverallow shell file_type:file link;

 # Do not allow privileged socket ioctl commands
 neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
	# Domain for shell processes spawned by ADB or console service.
	type shell, domain, mlstrustedsubject;
	type shell_exec, exec_type, file_type;

	# Create and use network sockets.
	net_domain(shell)

	# Run app_process.
	# XXX Transition into its own domain?
	app_domain(shell)

	# logcat
	read_logd(shell)
	control_logd(shell)
	# logcat -L (directly, or via dumpstate)
	allow shell pstorefs:dir search;
	allow shell pstorefs:file r_file_perms;
	# logpersistd (nee logcatd) files
	userdebug_or_eng(`
	allow shell misc_logd_file:dir r_dir_perms;
	allow shell misc_logd_file:file r_file_perms;
	')

	# Root fs.
	allow shell rootfs:dir r_dir_perms;

	# read files in /data/anr
	allow shell anr_data_file:dir r_dir_perms;
	allow shell anr_data_file:file r_file_perms;

	# Access /data/local/tmp.
	allow shell shell_data_file:dir create_dir_perms;
	allow shell shell_data_file:file create_file_perms;
	allow shell shell_data_file:file rx_file_perms;
	allow shell shell_data_file:lnk_file create_file_perms;

	# Read/execute files in /data/nativetest
	userdebug_or_eng(`
	allow shell nativetest_data_file:dir r_dir_perms;
	allow shell nativetest_data_file:file rx_file_perms;
	')

	# adb bugreport
	unix_socket_connect(shell, dumpstate, dumpstate)

	allow shell devpts:chr_file rw_file_perms;
	allow shell tty_device:chr_file rw_file_perms;
	allow shell console_device:chr_file rw_file_perms;
	allow shell input_device:dir r_dir_perms;
	allow shell input_device:chr_file rw_file_perms;
	r_dir_file(shell, system_file)
	allow shell system_file:file x_file_perms;
	allow shell toolbox_exec:file rx_file_perms;
	allow shell shell_exec:file rx_file_perms;
	allow shell zygote_exec:file rx_file_perms;

	r_dir_file(shell, apk_data_file)

	# Set properties.
	set_prop(shell, shell_prop)
	set_prop(shell, ctl_bugreport_prop)
	set_prop(shell, ctl_dumpstate_prop)
	set_prop(shell, dumpstate_prop)
	set_prop(shell, debug_prop)
	set_prop(shell, powerctl_prop)

	# systrace support - allow atrace to run
	allow shell debugfs_tracing:dir r_dir_perms;
	allow shell debugfs_tracing:file rw_file_perms;
	allow shell debugfs_trace_marker:file getattr;
	allow shell atrace_exec:file rx_file_perms;

	userdebug_or_eng(`
	# "systrace --boot" support - allow boottrace service to run
	allow shell boottrace_data_file:dir rw_dir_perms;
	allow shell boottrace_data_file:file create_file_perms;
	set_prop(shell, persist_debug_prop)
	')

	# allow shell to run dmesg
	allow shell kernel:system syslog_read;

	# allow shell access to services
	allow shell servicemanager:service_manager list;
	# don't allow shell to access GateKeeper service
	allow shell { service_manager_type -gatekeeper_service -netd_service }:service_manager find;

	# allow shell to look through /proc/ for ps, top, netstat
	r_dir_file(shell, proc)
	r_dir_file(shell, proc_net)
	allow shell proc_meminfo:file r_file_perms;
	r_dir_file(shell, cgroup)
	allow shell domain:dir { search open read getattr };
	allow shell domain:{ file lnk_file } { open read getattr };

	# statvfs() of /proc and other labeled filesystems
	# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
	allow shell { proc labeledfs }:filesystem getattr;

	# stat() of /dev
	allow shell device:dir getattr;

	# allow shell to read /proc/pid/attr/current for ps -Z
	allow shell domain:process getattr;

	# Allow pulling the SELinux policy for CTS purposes
	allow shell selinuxfs:dir r_dir_perms;
	allow shell selinuxfs:file r_file_perms;

	# enable shell domain to read/write files/dirs for bootchart data
	# User will creates the start and stop file via adb shell
	# and read other files created by init process under /data/bootchart
	allow shell bootchart_data_file:dir rw_dir_perms;
	allow shell bootchart_data_file:file create_file_perms;

	# Make sure strace works for the non-privileged shell user
	allow shell self:process ptrace;

	# allow shell to get battery info
	allow shell sysfs_batteryinfo:file r_file_perms;
	allow shell sysfs:dir r_dir_perms;

	# Allow access to ion memory allocation device.
	allow shell ion_device:chr_file rw_file_perms;

	# Access to /data/media.
	# This should be removed if sdcardfs is modified to alter the secontext for its
	# accesses to the underlying FS.
	allow shell media_rw_data_file:dir create_dir_perms;
	allow shell media_rw_data_file:file create_file_perms;

	###
	### Neverallow rules
	###

	# Do not allow shell to hard link to any files.
	# In particular, if shell hard links to app data
	# files, installd will not be able to guarantee the deletion
	# of the linked to file. Hard links also contribute to security
	# bugs, so we want to ensure the shell user never has this
	# capability.
	neverallow shell file_type:file link;

	# Do not allow privileged socket ioctl commands
	neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;