1# Domain for shell processes spawned by ADB or console service. 2type shell, domain, mlstrustedsubject; 3type shell_exec, system_file_type, exec_type, file_type; 4 5# Create and use network sockets. 6net_domain(shell) 7 8# logcat 9read_logd(shell) 10control_logd(shell) 11get_prop(shell, logd_prop) 12# logcat -L (directly, or via dumpstate) 13allow shell pstorefs:dir search; 14allow shell pstorefs:file r_file_perms; 15 16# Root fs. 17allow shell rootfs:dir r_dir_perms; 18 19# read files in /data/anr 20allow shell anr_data_file:dir r_dir_perms; 21allow shell anr_data_file:file r_file_perms; 22 23# Access /data/local/tmp. 24allow shell shell_data_file:dir create_dir_perms; 25allow shell shell_data_file:file create_file_perms; 26allow shell shell_data_file:file rx_file_perms; 27allow shell shell_data_file:lnk_file create_file_perms; 28 29# Access /data/local/tests. 30allow shell shell_test_data_file:dir create_dir_perms; 31allow shell shell_test_data_file:file create_file_perms; 32allow shell shell_test_data_file:file rx_file_perms; 33allow shell shell_test_data_file:lnk_file create_file_perms; 34allow shell shell_test_data_file:sock_file create_file_perms; 35 36# Read and delete from /data/local/traces. 37allow shell trace_data_file:file { r_file_perms unlink }; 38allow shell trace_data_file:dir { r_dir_perms remove_name write }; 39 40# Access /data/misc/profman. 41allow shell profman_dump_data_file:dir { write remove_name r_dir_perms }; 42allow shell profman_dump_data_file:file { unlink r_file_perms }; 43 44# Read/execute files in /data/nativetest 45userdebug_or_eng(` 46 allow shell nativetest_data_file:dir r_dir_perms; 47 allow shell nativetest_data_file:file rx_file_perms; 48') 49 50# adb bugreport 51unix_socket_connect(shell, dumpstate, dumpstate) 52 53allow shell devpts:chr_file rw_file_perms; 54allow shell tty_device:chr_file rw_file_perms; 55allow shell console_device:chr_file rw_file_perms; 56 57allow shell input_device:dir r_dir_perms; 58allow shell input_device:chr_file r_file_perms; 59 60r_dir_file(shell, system_file) 61allow shell system_file:file x_file_perms; 62allow shell toolbox_exec:file rx_file_perms; 63allow shell tzdatacheck_exec:file rx_file_perms; 64allow shell shell_exec:file rx_file_perms; 65allow shell zygote_exec:file rx_file_perms; 66 67r_dir_file(shell, apk_data_file) 68 69userdebug_or_eng(` 70 # "systrace --boot" support - allow boottrace service to run 71 allow shell boottrace_data_file:dir rw_dir_perms; 72 allow shell boottrace_data_file:file create_file_perms; 73') 74 75# allow shell access to services 76allow shell servicemanager:service_manager list; 77# don't allow shell to access GateKeeper service 78# TODO: why is this so broad? Tightening candidate? It needs at list: 79# - dumpstate_service (so it can receive dumpstate progress updates) 80allow shell { 81 service_manager_type 82 -apex_service 83 -dnsresolver_service 84 -gatekeeper_service 85 -incident_service 86 -installd_service 87 -iorapd_service 88 -mdns_service 89 -netd_service 90 -system_suspend_control_internal_service 91 -system_suspend_control_service 92 -virtual_touchpad_service 93 -vold_service 94 -default_android_service 95}:service_manager find; 96allow shell dumpstate:binder call; 97 98# allow shell to get information from hwservicemanager 99# for instance, listing hardware services with lshal 100hwbinder_use(shell) 101allow shell hwservicemanager:hwservice_manager list; 102 103# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat. 104r_dir_file(shell, proc_net_type) 105 106allow shell { 107 proc_asound 108 proc_filesystems 109 proc_interrupts 110 proc_loadavg # b/124024827 111 proc_meminfo 112 proc_modules 113 proc_pid_max 114 proc_slabinfo 115 proc_stat 116 proc_timer 117 proc_uptime 118 proc_version 119 proc_vmstat 120 proc_zoneinfo 121}:file r_file_perms; 122 123# allow listing network interfaces under /sys/class/net. 124allow shell sysfs_net:dir r_dir_perms; 125 126r_dir_file(shell, cgroup) 127allow shell cgroup_desc_file:file r_file_perms; 128allow shell cgroup_desc_api_file:file r_file_perms; 129allow shell vendor_cgroup_desc_file:file r_file_perms; 130r_dir_file(shell, cgroup_v2) 131allow shell domain:dir { search open read getattr }; 132allow shell domain:{ file lnk_file } { open read getattr }; 133 134# statvfs() of /proc and other labeled filesystems 135# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay) 136allow shell { proc labeledfs }:filesystem getattr; 137 138# stat() of /dev 139allow shell device:dir getattr; 140 141# allow shell to read /proc/pid/attr/current for ps -Z 142allow shell domain:process getattr; 143 144# Allow pulling the SELinux policy for CTS purposes 145allow shell selinuxfs:dir r_dir_perms; 146allow shell selinuxfs:file r_file_perms; 147 148# enable shell domain to read/write files/dirs for bootchart data 149# User will creates the start and stop file via adb shell 150# and read other files created by init process under /data/bootchart 151allow shell bootchart_data_file:dir rw_dir_perms; 152allow shell bootchart_data_file:file create_file_perms; 153 154# Make sure strace works for the non-privileged shell user 155allow shell self:process ptrace; 156 157# allow shell to get battery info 158allow shell sysfs:dir r_dir_perms; 159allow shell sysfs_batteryinfo:dir r_dir_perms; 160allow shell sysfs_batteryinfo:file r_file_perms; 161 162# Allow access to ion memory allocation device. 163allow shell ion_device:chr_file rw_file_perms; 164 165# 166# filesystem test for insecure chr_file's is done 167# via a host side test 168# 169allow shell dev_type:dir r_dir_perms; 170allow shell dev_type:chr_file getattr; 171 172# /dev/fd is a symlink 173allow shell proc:lnk_file getattr; 174 175# 176# filesystem test for insucre blk_file's is done 177# via hostside test 178# 179allow shell dev_type:blk_file getattr; 180 181# read selinux policy files 182allow shell file_contexts_file:file r_file_perms; 183allow shell property_contexts_file:file r_file_perms; 184allow shell seapp_contexts_file:file r_file_perms; 185allow shell service_contexts_file:file r_file_perms; 186allow shell sepolicy_file:file r_file_perms; 187 188# Allow shell to start up vendor shell 189allow shell vendor_shell_exec:file rx_file_perms; 190 191# Everything is labeled as rootfs in recovery mode. Allow shell to 192# execute them. 193recovery_only(` 194 allow shell rootfs:file rx_file_perms; 195') 196 197### 198### Neverallow rules 199### 200 201# Do not allow shell to hard link to any files. 202# In particular, if shell hard links to app data 203# files, installd will not be able to guarantee the deletion 204# of the linked to file. Hard links also contribute to security 205# bugs, so we want to ensure the shell user never has this 206# capability. 207neverallow shell file_type:file link; 208 209# Do not allow privileged socket ioctl commands 210neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 211 212# limit shell access to sensitive char drivers to 213# only getattr required for host side test. 214neverallow shell { 215 fuse_device 216 hw_random_device 217 port_device 218}:chr_file ~getattr; 219 220# Limit shell to only getattr on blk devices for host side tests. 221neverallow shell dev_type:blk_file ~getattr; 222 223# b/30861057: Shell access to existing input devices is an abuse 224# vector. The shell user can inject events that look like they 225# originate from the touchscreen etc. 226# Everyone should have already moved to UiAutomation#injectInputEvent 227# if they are running instrumentation tests (i.e. CTS), Monkey for 228# their stress tests, and the input command (adb shell input ...) for 229# injecting swipes and things. 230neverallow shell input_device:chr_file no_w_file_perms; 231