1typeattribute shell coredomain, mlstrustedsubject; 2 3# allow shell input injection 4allow shell uhid_device:chr_file rw_file_perms; 5 6# systrace support - allow atrace to run 7allow shell debugfs_tracing_debug:dir r_dir_perms; 8allow shell debugfs_tracing:dir r_dir_perms; 9allow shell debugfs_tracing:file rw_file_perms; 10allow shell debugfs_trace_marker:file getattr; 11allow shell atrace_exec:file rx_file_perms; 12 13userdebug_or_eng(` 14 allow shell debugfs_tracing_debug:file rw_file_perms; 15') 16 17# read config.gz for CTS purposes 18allow shell config_gz:file r_file_perms; 19 20# allow reading tombstones. users can already use bugreports to get those. 21allow shell tombstone_data_file:dir r_dir_perms; 22allow shell tombstone_data_file:file r_file_perms; 23 24# Run app_process. 25# XXX Transition into its own domain? 26app_domain(shell) 27 28# allow shell to call dumpsys storaged 29binder_call(shell, storaged) 30 31# Perform SELinux access checks, needed for CTS 32selinux_check_access(shell) 33selinux_check_context(shell) 34 35# Control Perfetto traced and obtain traces from it. 36# Needed for Studio and debugging. 37unix_socket_connect(shell, traced_consumer, traced) 38 39# Allow shell binaries to write trace data to Perfetto. Used for testing and 40# cmdline utils. 41perfetto_producer(shell) 42 43domain_auto_trans(shell, vendor_shell_exec, vendor_shell) 44 45# Allow shell to execute tradeinmode for testing. 46domain_auto_trans(shell, tradeinmode_exec, tradeinmode) 47 48# Allow shell binaries to exec the perfetto cmdline util and have that 49# transition into its own domain, so that it behaves consistently to 50# when exec()-d by statsd. 51domain_auto_trans(shell, perfetto_exec, perfetto) 52# Allow to send SIGINT to perfetto when daemonized. 53allow shell perfetto:process signal; 54 55# Allow shell to run adb shell cmd stats commands. Needed for CTS. 56binder_call(shell, statsd); 57 58# Allow shell to read and unlink traces stored in /data/misc/a11ytraces. 59userdebug_or_eng(` 60 allow shell accessibility_trace_data_file:dir rw_dir_perms; 61 allow shell accessibility_trace_data_file:file { r_file_perms unlink }; 62') 63 64# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces. 65allow shell perfetto_traces_data_file:dir rw_dir_perms; 66allow shell perfetto_traces_data_file:file { r_file_perms unlink }; 67# ... and /data/misc/perfetto-traces/bugreport/ . 68allow shell perfetto_traces_bugreport_data_file:dir rw_dir_perms; 69allow shell perfetto_traces_bugreport_data_file:file { r_file_perms unlink }; 70 71# Allow shell to create/remove configs stored in /data/misc/perfetto-configs. 72allow shell perfetto_configs_data_file:dir rw_dir_perms; 73allow shell perfetto_configs_data_file:file create_file_perms; 74 75# Allow shell to run adb shell cmd gpu commands. 76binder_call(shell, gpuservice); 77 78# Allow shell to use atrace HAL 79hal_client_domain(shell, hal_atrace) 80 81# For hostside tests such as CTS listening ports test. 82allow shell proc_net_tcp_udp:file r_file_perms; 83 84# The dl.exec_linker* tests need to execute /system/bin/linker 85# b/124789393 86allow shell system_linker_exec:file rx_file_perms; 87 88# Renderscript host side tests depend on being able to execute 89# /system/bin/bcc (b/126388046) 90allow shell rs_exec:file rx_file_perms; 91 92# Allow (host-driven) ART run-tests to execute dex2oat, in order to 93# check ART's compiler. 94allow shell dex2oat_exec:file rx_file_perms; 95allow shell dex2oat_exec:lnk_file read; 96 97# Allow shell to start and comminicate with lpdumpd. 98set_prop(shell, lpdumpd_prop); 99binder_call(shell, lpdumpd) 100 101# Allow shell to set and read value of properties used for CTS tests of 102# userspace reboot 103set_prop(shell, userspace_reboot_test_prop) 104 105# Allow shell to set this property to disable charging. 106set_prop(shell, power_debug_prop) 107 108# Allow shell to set this property used for rollback tests 109set_prop(shell, rollback_test_prop) 110 111# Allow shell to set RKP properties for testing purposes 112set_prop(shell, remote_prov_prop) 113 114# Allow shell to enable 16 KB backcompat globally. 115set_prop(shell, bionic_linker_16kb_app_compat_prop) 116 117# Allow shell to disable compat in package manager 118set_prop(shell, pm_16kb_app_compat_prop) 119 120# Allow shell to get encryption policy of /data/local/tmp/, for CTS 121allowxperm shell shell_data_file:dir ioctl { 122 FS_IOC_GET_ENCRYPTION_POLICY 123 FS_IOC_GET_ENCRYPTION_POLICY_EX 124}; 125 126# Allow shell to execute simpleperf without a domain transition. 127allow shell simpleperf_exec:file rx_file_perms; 128 129userdebug_or_eng(` 130 # Allow shell to execute profcollectctl without a domain transition. 131 allow shell profcollectd_exec:file rx_file_perms; 132 133 # Allow shell to read profcollectd data files. 134 r_dir_file(shell, profcollectd_data_file) 135 136 # Allow to issue control commands to profcollectd binder service. 137 allow shell profcollectd:binder call; 138') 139 140# Allow shell to run remount command. 141allow shell remount_exec:file rx_file_perms; 142 143# Allow shell to call perf_event_open for profiling other shell processes, but 144# not the whole system. 145allow shell self:perf_event { open read write kernel }; 146 147# Allow shell to read microdroid vendor image 148r_dir_file(shell, vendor_microdroid_file) 149 150# Allow shell to read /apex/apex-info-list.xml and the vendor apexes 151allow shell apex_info_file:file r_file_perms; 152allow shell vendor_apex_file:file r_file_perms; 153allow shell vendor_apex_file:dir r_dir_perms; 154allow shell vendor_apex_metadata_file:dir r_dir_perms; 155 156# Allow shell to read updated APEXes under /data/apex 157allow shell apex_data_file:dir search; 158allow shell staging_data_file:file r_file_perms; 159 160# Set properties. 161set_prop(shell, shell_prop) 162set_prop(shell, ctl_bugreport_prop) 163set_prop(shell, ctl_dumpstate_prop) 164set_prop(shell, dumpstate_prop) 165set_prop(shell, exported_dumpstate_prop) 166set_prop(shell, debug_prop) 167set_prop(shell, perf_drop_caches_prop) 168set_prop(shell, powerctl_prop) 169set_prop(shell, log_tag_prop) 170set_prop(shell, wifi_log_prop) 171# Allow shell to start/stop traced via the persist.traced.enable 172# property (which also takes care of /data/misc initialization). 173set_prop(shell, traced_enabled_prop) 174# adjust SELinux audit rates 175set_prop(shell, logd_auditrate_prop) 176# adjust is_loggable properties 177userdebug_or_eng(`set_prop(shell, log_prop)') 178# logpersist script 179userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)') 180# Allow shell to start/stop heapprofd via the persist.heapprofd.enable 181# property. 182set_prop(shell, heapprofd_enabled_prop) 183# Allow shell to start/stop traced_perf via the persist.traced_perf.enable 184# property. 185set_prop(shell, traced_perf_enabled_prop) 186# Allow shell to start/stop gsid via ctl.start|stop|restart gsid. 187set_prop(shell, ctl_gsid_prop) 188set_prop(shell, ctl_snapuserd_prop) 189# Allow shell to start/stop prefetch 190set_prop(shell, ctl_prefetch_prop) 191# Allow shell to enable Dynamic System Update 192set_prop(shell, dynamic_system_prop) 193# Allow shell to mock an OTA using persist.pm.mock-upgrade 194set_prop(shell, mock_ota_prop) 195 196# Read device's serial number from system properties 197get_prop(shell, serialno_prop) 198 199# Allow shell to read the vendor security patch level for CTS 200get_prop(shell, vendor_security_patch_level_prop) 201 202# Read state of logging-related properties 203get_prop(shell, device_logging_prop) 204 205# Read state of boot reason properties 206get_prop(shell, bootloader_boot_reason_prop) 207get_prop(shell, last_boot_reason_prop) 208get_prop(shell, system_boot_reason_prop) 209 210# Allow shell to execute the remote key provisioning factory tool 211binder_call(shell, hal_keymint) 212# Allow shell to run the AVF RKP HAL during the execution of the remote key 213# provisioning factory tool. 214# TODO(b/351113293): Remove this once the AVF RKP HAL registration is moved to 215# a separate process. 216binder_call(shell, virtualizationservice) 217# Allow the shell to inspect whether AVF remote attestation is supported 218# through the system property. 219get_prop(shell, avf_virtualizationservice_prop) 220 221# Allow reading the outcome of perf_event_open LSM support test for CTS. 222get_prop(shell, init_perf_lsm_hooks_prop) 223 224# Allow shell to read boot image timestamps and fingerprints. 225get_prop(shell, build_bootimage_prop) 226 227# Allow shell to read odsign verification properties 228get_prop(shell, odsign_prop) 229 230userdebug_or_eng(`set_prop(shell, persist_debug_prop)') 231 232# Allow shell to read the keystore key contexts files. Used by native tests to test label lookup. 233allow shell keystore2_key_contexts_file:file r_file_perms; 234 235# Allow shell to access the keystore2_key namespace shell_key. Mainly used for native tests. 236allow shell shell_key:keystore2_key { delete rebind use get_info update }; 237 238# Allow shell to open and execute memfd files for minijail unit tests. 239userdebug_or_eng(` 240 allow shell appdomain_tmpfs:file { open execute_no_trans }; 241') 242 243# Allow shell to write db.log.detailed, db.log.slow_query_threshold* 244set_prop(shell, sqlite_log_prop) 245 246# Allow shell to write MTE properties even on user builds. 247set_prop(shell, arm64_memtag_prop) 248set_prop(shell, permissive_mte_prop) 249 250# Allow shell to write kcmdline properties even on user builds. 251set_prop(shell, kcmdline_prop) 252 253# Allow shell to read the dm-verity props on user builds. 254get_prop(shell, verity_status_prop) 255 256# Allow shell to read Virtual A/B related properties 257get_prop(shell, virtual_ab_prop) 258 259# Allow ReadDefaultFstab() for CTS. 260read_fstab(shell) 261 262# Allow shell read access to /apex/apex-info-list.xml for CTS. 263allow shell apex_info_file:file r_file_perms; 264 265# Let the shell user call virtualizationservice (and 266# virtualizationservice call back to shell) for debugging. 267virtualizationservice_use(shell) 268 269# Allow shell to set persist.wm.debug properties 270userdebug_or_eng(`set_prop(shell, persist_wm_debug_prop)') 271 272# Allow shell to write GWP-ASan properties even on user builds. 273set_prop(shell, gwp_asan_prop) 274 275# Allow shell to set persist.sysui.notification.builder_extras_override property 276userdebug_or_eng(`set_prop(shell, persist_sysui_builder_extras_prop)') 277# Allow shell to set persist.sysui.notification.ranking_update_ashmem property 278userdebug_or_eng(`set_prop(shell, persist_sysui_ranking_update_prop)') 279 280# Allow shell to read the build properties for attestation feature 281get_prop(shell, build_attestation_prop) 282 283# Allow shell to execute oatdump. 284# TODO (b/350628688): Remove this once it's safe to do so. 285allow shell oatdump_exec:file rx_file_perms; 286 287# Create and use network sockets. 288net_domain(shell) 289 290# logcat 291read_logd(shell) 292control_logd(shell) 293get_prop(shell, logd_prop) 294# logcat -L (directly, or via dumpstate) 295allow shell pstorefs:dir search; 296allow shell pstorefs:file r_file_perms; 297 298# Root fs. 299allow shell rootfs:dir r_dir_perms; 300 301# read files in /data/anr 302allow shell anr_data_file:dir r_dir_perms; 303allow shell anr_data_file:file r_file_perms; 304 305# Access /data/local/tmp. 306allow shell shell_data_file:dir create_dir_perms; 307allow shell shell_data_file:file create_file_perms; 308allow shell shell_data_file:file rx_file_perms; 309allow shell shell_data_file:lnk_file create_file_perms; 310 311# Access /data/local/tests. 312allow shell shell_test_data_file:dir create_dir_perms; 313allow shell shell_test_data_file:file create_file_perms; 314allow shell shell_test_data_file:file rx_file_perms; 315allow shell shell_test_data_file:lnk_file create_file_perms; 316allow shell shell_test_data_file:sock_file create_file_perms; 317 318# Read and delete from /data/local/traces. 319allow shell trace_data_file:file { r_file_perms unlink }; 320allow shell trace_data_file:dir { r_dir_perms remove_name write }; 321 322# Access /data/misc/profman. 323allow shell profman_dump_data_file:dir { write remove_name r_dir_perms }; 324allow shell profman_dump_data_file:file { unlink r_file_perms }; 325 326# Read/execute files in /data/nativetest 327userdebug_or_eng(` 328 allow shell nativetest_data_file:dir r_dir_perms; 329 allow shell nativetest_data_file:file rx_file_perms; 330') 331 332# adb bugreport 333unix_socket_connect(shell, dumpstate, dumpstate) 334 335allow shell devpts:chr_file rw_file_perms; 336allow shell tty_device:chr_file rw_file_perms; 337allow shell console_device:chr_file rw_file_perms; 338 339allow shell input_device:dir r_dir_perms; 340allow shell input_device:chr_file r_file_perms; 341 342r_dir_file(shell, system_file) 343allow shell system_file:file x_file_perms; 344allow shell toolbox_exec:file rx_file_perms; 345allow shell shell_exec:file rx_file_perms; 346allow shell zygote_exec:file rx_file_perms; 347 348userdebug_or_eng(` 349 # "systrace --boot" support - allow boottrace service to run 350 allow shell boottrace_data_file:dir rw_dir_perms; 351 allow shell boottrace_data_file:file create_file_perms; 352') 353 354# allow shell access to services 355allow shell servicemanager:service_manager list; 356# don't allow shell to access GateKeeper service 357# TODO: why is this so broad? Tightening candidate? It needs at list: 358# - dumpstate_service (so it can receive dumpstate progress updates) 359allow shell { 360 service_manager_type 361 -apex_service 362 -dnsresolver_service 363 -gatekeeper_service 364 -hal_keymint_service 365 -hal_secureclock_service 366 -hal_sharedsecret_service 367 -incident_service 368 -installd_service 369 -mdns_service 370 -netd_service 371 -system_suspend_control_internal_service 372 -system_suspend_control_service 373 -virtual_touchpad_service 374 -vold_service 375 -default_android_service 376 -virtualization_service 377}:service_manager find; 378allow shell dumpstate:binder call; 379 380# allow shell to get information from hwservicemanager 381# for instance, listing hardware services with lshal 382hwbinder_use(shell) 383allow shell hwservicemanager:hwservice_manager list; 384 385# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat. 386r_dir_file(shell, proc_net_type) 387 388allow shell { 389 proc_asound 390 proc_cgroups 391 proc_filesystems 392 proc_interrupts 393 proc_loadavg # b/124024827 394 proc_meminfo 395 proc_modules 396 proc_pid_max 397 proc_slabinfo 398 proc_stat 399 proc_timer 400 proc_uptime 401 proc_version 402 proc_vmstat 403 proc_zoneinfo 404}:file r_file_perms; 405 406# allow listing network interfaces under /sys/class/net. 407allow shell sysfs_net:dir r_dir_perms; 408 409r_dir_file(shell, cgroup) 410allow shell cgroup_desc_file:file r_file_perms; 411allow shell vendor_cgroup_desc_file:file r_file_perms; 412r_dir_file(shell, cgroup_v2) 413allow shell domain:dir { search open read getattr }; 414allow shell domain:{ file lnk_file } { open read getattr }; 415 416# statvfs() of /proc and other labeled filesystems 417# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay) 418allow shell { proc labeledfs }:filesystem getattr; 419 420# stat() of /dev 421allow shell device:dir getattr; 422 423# allow shell to read /proc/pid/attr/current for ps -Z 424allow shell domain:process getattr; 425 426# Allow pulling the SELinux policy for CTS purposes 427allow shell selinuxfs:dir r_dir_perms; 428allow shell selinuxfs:file r_file_perms; 429 430# enable shell domain to read/write files/dirs for bootchart data 431# User will creates the start and stop file via adb shell 432# and read other files created by init process under /data/bootchart 433allow shell bootchart_data_file:dir rw_dir_perms; 434allow shell bootchart_data_file:file create_file_perms; 435 436# Make sure strace works for the non-privileged shell user 437allow shell self:process ptrace; 438 439# allow shell to get battery info 440allow shell sysfs:dir r_dir_perms; 441allow shell sysfs_batteryinfo:dir r_dir_perms; 442allow shell sysfs_batteryinfo:file r_file_perms; 443 444# Allow reads (but not writes) of the MGLRU state 445allow shell sysfs_lru_gen_enabled:file r_file_perms; 446 447# Allow communicating with the VM terminal. 448userdebug_or_eng(` 449 allow shell vmlauncher_app_devpts:chr_file rw_file_perms; 450 allowxperm shell vmlauncher_app_devpts:chr_file ioctl unpriv_tty_ioctls; 451') 452 453# Allow CTS to check whether AVF debug policy is installed 454allow shell { proc_dt_avf sysfs_dt_avf }:dir search; 455 456# Allow access to ion memory allocation device. 457allow shell ion_device:chr_file rw_file_perms; 458 459# 460# filesystem test for insecure chr_file's is done 461# via a host side test 462# 463allow shell dev_type:dir r_dir_perms; 464allow shell dev_type:chr_file getattr; 465 466# /dev/fd is a symlink 467allow shell proc:lnk_file getattr; 468 469# 470# filesystem test for insucre blk_file's is done 471# via hostside test 472# 473allow shell dev_type:blk_file getattr; 474 475# read selinux policy files 476allow shell file_contexts_file:file r_file_perms; 477allow shell property_contexts_file:file r_file_perms; 478allow shell seapp_contexts_file:file r_file_perms; 479allow shell service_contexts_file:file r_file_perms; 480allow shell sepolicy_file:file r_file_perms; 481 482# Allow shell to start up vendor shell 483allow shell vendor_shell_exec:file rx_file_perms; 484 485is_flag_enabled(RELEASE_AVF_SUPPORT_CUSTOM_VM_WITH_PARAVIRTUALIZED_DEVICES, ` 486 allow shell linux_vm_setup_exec:file { entrypoint r_file_perms }; 487') 488 489allow shell tee_service_contexts_file:file r_file_perms; 490allow shell test_pkvm_tee_service:tee_service use; 491 492# Everything is labeled as rootfs in recovery mode. Allow shell to 493# execute them. 494recovery_only(` 495 allow shell rootfs:file rx_file_perms; 496') 497 498### 499### Neverallow rules 500### 501 502# Do not allow shell to talk directly to security HAL services other than 503# hal_remotelyprovisionedcomponent_service 504neverallow shell { 505 hal_keymint_service 506 hal_secureclock_service 507 hal_sharedsecret_service 508 virtualization_service 509}:service_manager find; 510 511# Do not allow shell to hard link to any files. 512# In particular, if shell hard links to app data 513# files, installd will not be able to guarantee the deletion 514# of the linked to file. Hard links also contribute to security 515# bugs, so we want to ensure the shell user never has this 516# capability. 517neverallow shell file_type:file link; 518 519# Do not allow privileged socket ioctl commands 520neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls; 521 522# limit shell access to sensitive char drivers to 523# only getattr required for host side test. 524neverallow shell { 525 fuse_device 526 hw_random_device 527 port_device 528}:chr_file ~getattr; 529 530# Limit shell to only getattr on blk devices for host side tests. 531neverallow shell dev_type:blk_file ~getattr; 532 533# b/30861057: Shell access to existing input devices is an abuse 534# vector. The shell user can inject events that look like they 535# originate from the touchscreen etc. 536# Everyone should have already moved to UiAutomation#injectInputEvent 537# if they are running instrumentation tests (i.e. CTS), Monkey for 538# their stress tests, and the input command (adb shell input ...) for 539# injecting swipes and things. 540neverallow shell input_device:chr_file no_w_file_perms; 541 542neverallow shell self:perf_event ~{ open read write kernel }; 543 544# Never allow others to set or get the perf.drop_caches property. 545neverallow { domain -shell -init } perf_drop_caches_prop:property_service set; 546neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read; 547