1# Domain for shell processes spawned by ADB or console service. 2type shell, domain, mlstrustedsubject; 3type shell_exec, system_file_type, exec_type, file_type; 4 5# Create and use network sockets. 6net_domain(shell) 7 8# logcat 9read_logd(shell) 10control_logd(shell) 11# logcat -L (directly, or via dumpstate) 12allow shell pstorefs:dir search; 13allow shell pstorefs:file r_file_perms; 14 15# Root fs. 16allow shell rootfs:dir r_dir_perms; 17 18# read files in /data/anr 19allow shell anr_data_file:dir r_dir_perms; 20allow shell anr_data_file:file r_file_perms; 21 22# Access /data/local/tmp. 23allow shell shell_data_file:dir create_dir_perms; 24allow shell shell_data_file:file create_file_perms; 25allow shell shell_data_file:file rx_file_perms; 26allow shell shell_data_file:lnk_file create_file_perms; 27 28# Read and delete from /data/local/traces. 29allow shell trace_data_file:file { r_file_perms unlink }; 30allow shell trace_data_file:dir { r_dir_perms remove_name write }; 31 32# Access /data/misc/profman. 33allow shell profman_dump_data_file:dir { write remove_name r_dir_perms }; 34allow shell profman_dump_data_file:file { unlink r_file_perms }; 35 36# Read/execute files in /data/nativetest 37userdebug_or_eng(` 38 allow shell nativetest_data_file:dir r_dir_perms; 39 allow shell nativetest_data_file:file rx_file_perms; 40') 41 42# adb bugreport 43unix_socket_connect(shell, dumpstate, dumpstate) 44 45allow shell devpts:chr_file rw_file_perms; 46allow shell tty_device:chr_file rw_file_perms; 47allow shell console_device:chr_file rw_file_perms; 48 49allow shell input_device:dir r_dir_perms; 50allow shell input_device:chr_file r_file_perms; 51 52r_dir_file(shell, system_file) 53allow shell system_file:file x_file_perms; 54allow shell toolbox_exec:file rx_file_perms; 55allow shell tzdatacheck_exec:file rx_file_perms; 56allow shell shell_exec:file rx_file_perms; 57allow shell zygote_exec:file rx_file_perms; 58 59r_dir_file(shell, apk_data_file) 60 61# Set properties. 62set_prop(shell, shell_prop) 63set_prop(shell, ctl_bugreport_prop) 64set_prop(shell, ctl_dumpstate_prop) 65set_prop(shell, dumpstate_prop) 66set_prop(shell, exported_dumpstate_prop) 67set_prop(shell, debug_prop) 68set_prop(shell, powerctl_prop) 69set_prop(shell, log_tag_prop) 70set_prop(shell, wifi_log_prop) 71# Allow shell to start/stop traced via the persist.traced.enable 72# property (which also takes care of /data/misc initialization). 73set_prop(shell, traced_enabled_prop) 74# adjust is_loggable properties 75userdebug_or_eng(`set_prop(shell, log_prop)') 76# logpersist script 77userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') 78# Allow shell to start/stop heapprofd via the persist.heapprofd.enable 79# property. 80set_prop(shell, heapprofd_enabled_prop) 81# Allow shell to start/stop traced_perf via the persist.traced_perf.enable 82# property. 83set_prop(shell, traced_perf_enabled_prop) 84# Allow shell to start/stop gsid via ctl.start|stop|restart gsid. 85set_prop(shell, ctl_gsid_prop) 86# Allow shell to enable Dynamic System Update 87set_prop(shell, dynamic_system_prop) 88# Allow shell to mock an OTA using persist.pm.mock-upgrade 89set_prop(shell, mock_ota_prop) 90 91userdebug_or_eng(` 92 # "systrace --boot" support - allow boottrace service to run 93 allow shell boottrace_data_file:dir rw_dir_perms; 94 allow shell boottrace_data_file:file create_file_perms; 95 set_prop(shell, persist_debug_prop) 96') 97 98# Read device's serial number from system properties 99get_prop(shell, serialno_prop) 100 101# Allow shell to read the vendor security patch level for CTS 102get_prop(shell, vendor_security_patch_level_prop) 103 104# Read state of logging-related properties 105get_prop(shell, device_logging_prop) 106 107# Read state of boot reason properties 108get_prop(shell, bootloader_boot_reason_prop) 109get_prop(shell, last_boot_reason_prop) 110get_prop(shell, system_boot_reason_prop) 111 112# Allow reading the outcome of perf_event_open LSM support test for CTS. 113get_prop(shell, init_perf_lsm_hooks_prop) 114 115# allow shell access to services 116allow shell servicemanager:service_manager list; 117# don't allow shell to access GateKeeper service 118# TODO: why is this so broad? Tightening candidate? It needs at list: 119# - dumpstate_service (so it can receive dumpstate progress updates) 120allow shell { 121 service_manager_type 122 -apex_service 123 -dnsresolver_service 124 -gatekeeper_service 125 -incident_service 126 -installd_service 127 -iorapd_service 128 -netd_service 129 -system_suspend_control_service 130 -virtual_touchpad_service 131 -vold_service 132 -vr_hwc_service 133 -default_android_service 134}:service_manager find; 135allow shell dumpstate:binder call; 136 137# allow shell to get information from hwservicemanager 138# for instance, listing hardware services with lshal 139hwbinder_use(shell) 140allow shell hwservicemanager:hwservice_manager list; 141 142# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat. 143r_dir_file(shell, proc_net_type) 144 145allow shell { 146 proc_asound 147 proc_filesystems 148 proc_interrupts 149 proc_loadavg # b/124024827 150 proc_meminfo 151 proc_modules 152 proc_pid_max 153 proc_slabinfo 154 proc_stat 155 proc_timer 156 proc_uptime 157 proc_version 158 proc_vmstat 159 proc_zoneinfo 160}:file r_file_perms; 161 162# allow listing network interfaces under /sys/class/net. 163allow shell sysfs_net:dir r_dir_perms; 164 165r_dir_file(shell, cgroup) 166allow shell domain:dir { search open read getattr }; 167allow shell domain:{ file lnk_file } { open read getattr }; 168 169# statvfs() of /proc and other labeled filesystems 170# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay) 171allow shell { proc labeledfs }:filesystem getattr; 172 173# stat() of /dev 174allow shell device:dir getattr; 175 176# allow shell to read /proc/pid/attr/current for ps -Z 177allow shell domain:process getattr; 178 179# Allow pulling the SELinux policy for CTS purposes 180allow shell selinuxfs:dir r_dir_perms; 181allow shell selinuxfs:file r_file_perms; 182 183# enable shell domain to read/write files/dirs for bootchart data 184# User will creates the start and stop file via adb shell 185# and read other files created by init process under /data/bootchart 186allow shell bootchart_data_file:dir rw_dir_perms; 187allow shell bootchart_data_file:file create_file_perms; 188 189# Make sure strace works for the non-privileged shell user 190allow shell self:process ptrace; 191 192# allow shell to get battery info 193allow shell sysfs:dir r_dir_perms; 194allow shell sysfs_batteryinfo:dir r_dir_perms; 195allow shell sysfs_batteryinfo:file r_file_perms; 196 197# Allow access to ion memory allocation device. 198allow shell ion_device:chr_file rw_file_perms; 199 200# 201# filesystem test for insecure chr_file's is done 202# via a host side test 203# 204allow shell dev_type:dir r_dir_perms; 205allow shell dev_type:chr_file getattr; 206 207# /dev/fd is a symlink 208allow shell proc:lnk_file getattr; 209 210# 211# filesystem test for insucre blk_file's is done 212# via hostside test 213# 214allow shell dev_type:blk_file getattr; 215 216# read selinux policy files 217allow shell file_contexts_file:file r_file_perms; 218allow shell property_contexts_file:file r_file_perms; 219allow shell seapp_contexts_file:file r_file_perms; 220allow shell service_contexts_file:file r_file_perms; 221allow shell sepolicy_file:file r_file_perms; 222 223# Allow shell to start up vendor shell 224allow shell vendor_shell_exec:file rx_file_perms; 225 226# Everything is labeled as rootfs in recovery mode. Allow shell to 227# execute them. 228recovery_only(` 229 allow shell rootfs:file rx_file_perms; 230') 231 232### 233### Neverallow rules 234### 235 236# Do not allow shell to hard link to any files. 237# In particular, if shell hard links to app data 238# files, installd will not be able to guarantee the deletion 239# of the linked to file. Hard links also contribute to security 240# bugs, so we want to ensure the shell user never has this 241# capability. 242neverallow shell file_type:file link; 243 244# Do not allow privileged socket ioctl commands 245neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 246 247# limit shell access to sensitive char drivers to 248# only getattr required for host side test. 249neverallow shell { 250 fuse_device 251 hw_random_device 252 port_device 253}:chr_file ~getattr; 254 255# Limit shell to only getattr on blk devices for host side tests. 256neverallow shell dev_type:blk_file ~getattr; 257 258# b/30861057: Shell access to existing input devices is an abuse 259# vector. The shell user can inject events that look like they 260# originate from the touchscreen etc. 261# Everyone should have already moved to UiAutomation#injectInputEvent 262# if they are running instrumentation tests (i.e. CTS), Monkey for 263# their stress tests, and the input command (adb shell input ...) for 264# injecting swipes and things. 265neverallow shell input_device:chr_file no_w_file_perms; 266