1# Domain for shell processes spawned by ADB or console service. 2type shell, domain, mlstrustedsubject; 3type shell_exec, system_file_type, exec_type, file_type; 4 5# Create and use network sockets. 6net_domain(shell) 7 8# logcat 9read_logd(shell) 10control_logd(shell) 11get_prop(shell, logd_prop) 12# logcat -L (directly, or via dumpstate) 13allow shell pstorefs:dir search; 14allow shell pstorefs:file r_file_perms; 15 16# Root fs. 17allow shell rootfs:dir r_dir_perms; 18 19# read files in /data/anr 20allow shell anr_data_file:dir r_dir_perms; 21allow shell anr_data_file:file r_file_perms; 22 23# Access /data/local/tmp. 24allow shell shell_data_file:dir create_dir_perms; 25allow shell shell_data_file:file create_file_perms; 26allow shell shell_data_file:file rx_file_perms; 27allow shell shell_data_file:lnk_file create_file_perms; 28 29# Access /data/local/tests. 30allow shell shell_test_data_file:dir create_dir_perms; 31allow shell shell_test_data_file:file create_file_perms; 32allow shell shell_test_data_file:file rx_file_perms; 33allow shell shell_test_data_file:lnk_file create_file_perms; 34allow shell shell_test_data_file:sock_file create_file_perms; 35 36# Read and delete from /data/local/traces. 37allow shell trace_data_file:file { r_file_perms unlink }; 38allow shell trace_data_file:dir { r_dir_perms remove_name write }; 39 40# Access /data/misc/profman. 41allow shell profman_dump_data_file:dir { write remove_name r_dir_perms }; 42allow shell profman_dump_data_file:file { unlink r_file_perms }; 43 44# Read/execute files in /data/nativetest 45userdebug_or_eng(` 46 allow shell nativetest_data_file:dir r_dir_perms; 47 allow shell nativetest_data_file:file rx_file_perms; 48') 49 50# adb bugreport 51unix_socket_connect(shell, dumpstate, dumpstate) 52 53allow shell devpts:chr_file rw_file_perms; 54allow shell tty_device:chr_file rw_file_perms; 55allow shell console_device:chr_file rw_file_perms; 56 57allow shell input_device:dir r_dir_perms; 58allow shell input_device:chr_file r_file_perms; 59 60r_dir_file(shell, system_file) 61allow shell system_file:file x_file_perms; 62allow shell toolbox_exec:file rx_file_perms; 63allow shell shell_exec:file rx_file_perms; 64allow shell zygote_exec:file rx_file_perms; 65 66userdebug_or_eng(` 67 # "systrace --boot" support - allow boottrace service to run 68 allow shell boottrace_data_file:dir rw_dir_perms; 69 allow shell boottrace_data_file:file create_file_perms; 70') 71 72# allow shell access to services 73allow shell servicemanager:service_manager list; 74# don't allow shell to access GateKeeper service 75# TODO: why is this so broad? Tightening candidate? It needs at list: 76# - dumpstate_service (so it can receive dumpstate progress updates) 77allow shell { 78 service_manager_type 79 -apex_service 80 -dnsresolver_service 81 -gatekeeper_service 82 -hal_keymint_service 83 -hal_secureclock_service 84 -hal_sharedsecret_service 85 -incident_service 86 -installd_service 87 -mdns_service 88 -netd_service 89 -system_suspend_control_internal_service 90 -system_suspend_control_service 91 -virtual_touchpad_service 92 -vold_service 93 -default_android_service 94}:service_manager find; 95allow shell dumpstate:binder call; 96 97# allow shell to get information from hwservicemanager 98# for instance, listing hardware services with lshal 99hwbinder_use(shell) 100allow shell hwservicemanager:hwservice_manager list; 101 102# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat. 103r_dir_file(shell, proc_net_type) 104 105allow shell { 106 proc_asound 107 proc_filesystems 108 proc_interrupts 109 proc_loadavg # b/124024827 110 proc_meminfo 111 proc_modules 112 proc_pid_max 113 proc_slabinfo 114 proc_stat 115 proc_timer 116 proc_uptime 117 proc_version 118 proc_vmstat 119 proc_zoneinfo 120}:file r_file_perms; 121 122# allow listing network interfaces under /sys/class/net. 123allow shell sysfs_net:dir r_dir_perms; 124 125r_dir_file(shell, cgroup) 126allow shell cgroup_desc_file:file r_file_perms; 127allow shell cgroup_desc_api_file:file r_file_perms; 128allow shell vendor_cgroup_desc_file:file r_file_perms; 129r_dir_file(shell, cgroup_v2) 130allow shell domain:dir { search open read getattr }; 131allow shell domain:{ file lnk_file } { open read getattr }; 132 133# statvfs() of /proc and other labeled filesystems 134# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay) 135allow shell { proc labeledfs }:filesystem getattr; 136 137# stat() of /dev 138allow shell device:dir getattr; 139 140# allow shell to read /proc/pid/attr/current for ps -Z 141allow shell domain:process getattr; 142 143# Allow pulling the SELinux policy for CTS purposes 144allow shell selinuxfs:dir r_dir_perms; 145allow shell selinuxfs:file r_file_perms; 146 147# enable shell domain to read/write files/dirs for bootchart data 148# User will creates the start and stop file via adb shell 149# and read other files created by init process under /data/bootchart 150allow shell bootchart_data_file:dir rw_dir_perms; 151allow shell bootchart_data_file:file create_file_perms; 152 153# Make sure strace works for the non-privileged shell user 154allow shell self:process ptrace; 155 156# allow shell to get battery info 157allow shell sysfs:dir r_dir_perms; 158allow shell sysfs_batteryinfo:dir r_dir_perms; 159allow shell sysfs_batteryinfo:file r_file_perms; 160 161# Allow access to ion memory allocation device. 162allow shell ion_device:chr_file rw_file_perms; 163 164# 165# filesystem test for insecure chr_file's is done 166# via a host side test 167# 168allow shell dev_type:dir r_dir_perms; 169allow shell dev_type:chr_file getattr; 170 171# /dev/fd is a symlink 172allow shell proc:lnk_file getattr; 173 174# 175# filesystem test for insucre blk_file's is done 176# via hostside test 177# 178allow shell dev_type:blk_file getattr; 179 180# read selinux policy files 181allow shell file_contexts_file:file r_file_perms; 182allow shell property_contexts_file:file r_file_perms; 183allow shell seapp_contexts_file:file r_file_perms; 184allow shell service_contexts_file:file r_file_perms; 185allow shell sepolicy_file:file r_file_perms; 186 187# Allow shell to start up vendor shell 188allow shell vendor_shell_exec:file rx_file_perms; 189 190# Everything is labeled as rootfs in recovery mode. Allow shell to 191# execute them. 192recovery_only(` 193 allow shell rootfs:file rx_file_perms; 194') 195 196### 197### Neverallow rules 198### 199 200# Do not allow shell to talk directly to security HAL services other than 201# hal_remotelyprovisionedcomponent_service 202neverallow shell { 203 hal_keymint_service 204 hal_secureclock_service 205 hal_sharedsecret_service 206}:service_manager find; 207 208# Do not allow shell to hard link to any files. 209# In particular, if shell hard links to app data 210# files, installd will not be able to guarantee the deletion 211# of the linked to file. Hard links also contribute to security 212# bugs, so we want to ensure the shell user never has this 213# capability. 214neverallow shell file_type:file link; 215 216# Do not allow privileged socket ioctl commands 217neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 218 219# limit shell access to sensitive char drivers to 220# only getattr required for host side test. 221neverallow shell { 222 fuse_device 223 hw_random_device 224 port_device 225}:chr_file ~getattr; 226 227# Limit shell to only getattr on blk devices for host side tests. 228neverallow shell dev_type:blk_file ~getattr; 229 230# b/30861057: Shell access to existing input devices is an abuse 231# vector. The shell user can inject events that look like they 232# originate from the touchscreen etc. 233# Everyone should have already moved to UiAutomation#injectInputEvent 234# if they are running instrumentation tests (i.e. CTS), Monkey for 235# their stress tests, and the input command (adb shell input ...) for 236# injecting swipes and things. 237neverallow shell input_device:chr_file no_w_file_perms; 238