prebuilts/api/30.0/public/shell.te - platform/system/sepolicy - Git at Google

 # Domain for shell processes spawned by ADB or console service.
 type shell, domain, mlstrustedsubject;
 type shell_exec, system_file_type, exec_type, file_type;

 # Create and use network sockets.
 net_domain(shell)

 # logcat
 read_logd(shell)
 control_logd(shell)
 # logcat -L (directly, or via dumpstate)
 allow shell pstorefs:dir search;
 allow shell pstorefs:file r_file_perms;

 # Root fs.
 allow shell rootfs:dir r_dir_perms;

 # read files in /data/anr
 allow shell anr_data_file:dir r_dir_perms;
 allow shell anr_data_file:file r_file_perms;

 # Access /data/local/tmp.
 allow shell shell_data_file:dir create_dir_perms;
 allow shell shell_data_file:file create_file_perms;
 allow shell shell_data_file:file rx_file_perms;
 allow shell shell_data_file:lnk_file create_file_perms;

 # Read and delete from /data/local/traces.
 allow shell trace_data_file:file { r_file_perms unlink };
 allow shell trace_data_file:dir { r_dir_perms remove_name write };

 # Access /data/misc/profman.
 allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
 allow shell profman_dump_data_file:file { unlink r_file_perms };

 # Read/execute files in /data/nativetest
 userdebug_or_eng(`
   allow shell nativetest_data_file:dir r_dir_perms;
   allow shell nativetest_data_file:file rx_file_perms;
 ')

 # adb bugreport
 unix_socket_connect(shell, dumpstate, dumpstate)

 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;
 allow shell console_device:chr_file rw_file_perms;

 allow shell input_device:dir r_dir_perms;
 allow shell input_device:chr_file r_file_perms;

 r_dir_file(shell, system_file)
 allow shell system_file:file x_file_perms;
 allow shell toolbox_exec:file rx_file_perms;
 allow shell tzdatacheck_exec:file rx_file_perms;
 allow shell shell_exec:file rx_file_perms;
 allow shell zygote_exec:file rx_file_perms;

 r_dir_file(shell, apk_data_file)

 # Set properties.
 set_prop(shell, shell_prop)
 set_prop(shell, ctl_bugreport_prop)
 set_prop(shell, ctl_dumpstate_prop)
 set_prop(shell, dumpstate_prop)
 set_prop(shell, exported_dumpstate_prop)
 set_prop(shell, debug_prop)
 set_prop(shell, powerctl_prop)
 set_prop(shell, log_tag_prop)
 set_prop(shell, wifi_log_prop)
 # Allow shell to start/stop traced via the persist.traced.enable
 # property (which also takes care of /data/misc initialization).
 set_prop(shell, traced_enabled_prop)
 # adjust is_loggable properties
 userdebug_or_eng(`set_prop(shell, log_prop)')
 # logpersist script
 userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
 # Allow shell to start/stop heapprofd via the persist.heapprofd.enable
 # property.
 set_prop(shell, heapprofd_enabled_prop)
 # Allow shell to start/stop traced_perf via the persist.traced_perf.enable
 # property.
 set_prop(shell, traced_perf_enabled_prop)
 # Allow shell to start/stop gsid via ctl.start|stop|restart gsid.
 set_prop(shell, ctl_gsid_prop)
 # Allow shell to enable Dynamic System Update
 set_prop(shell, dynamic_system_prop)
 # Allow shell to mock an OTA using persist.pm.mock-upgrade
 set_prop(shell, mock_ota_prop)

 userdebug_or_eng(`
   # "systrace --boot" support - allow boottrace service to run
   allow shell boottrace_data_file:dir rw_dir_perms;
   allow shell boottrace_data_file:file create_file_perms;
   set_prop(shell, persist_debug_prop)
 ')

 # Read device's serial number from system properties
 get_prop(shell, serialno_prop)

 # Allow shell to read the vendor security patch level for CTS
 get_prop(shell, vendor_security_patch_level_prop)

 # Read state of logging-related properties
 get_prop(shell, device_logging_prop)

 # Read state of boot reason properties
 get_prop(shell, bootloader_boot_reason_prop)
 get_prop(shell, last_boot_reason_prop)
 get_prop(shell, system_boot_reason_prop)

 # Allow reading the outcome of perf_event_open LSM support test for CTS.
 get_prop(shell, init_perf_lsm_hooks_prop)

 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
 # TODO: why is this so broad? Tightening candidate? It needs at list:
 # - dumpstate_service (so it can receive dumpstate progress updates)
 allow shell {
   service_manager_type
   -apex_service
   -dnsresolver_service
   -gatekeeper_service
   -incident_service
   -installd_service
   -iorapd_service
   -netd_service
   -system_suspend_control_service
   -virtual_touchpad_service
   -vold_service
   -vr_hwc_service
   -default_android_service
 }:service_manager find;
 allow shell dumpstate:binder call;

 # allow shell to get information from hwservicemanager
 # for instance, listing hardware services with lshal
 hwbinder_use(shell)
 allow shell hwservicemanager:hwservice_manager list;

 # allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
 r_dir_file(shell, proc_net_type)

 allow shell {
   proc_asound
   proc_filesystems
   proc_interrupts
   proc_loadavg # b/124024827
   proc_meminfo
   proc_modules
   proc_pid_max
   proc_slabinfo
   proc_stat
   proc_timer
   proc_uptime
   proc_version
   proc_vmstat
   proc_zoneinfo
 }:file r_file_perms;

 # allow listing network interfaces under /sys/class/net.
 allow shell sysfs_net:dir r_dir_perms;

 r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };

 # statvfs() of /proc and other labeled filesystems
 # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
 allow shell { proc labeledfs }:filesystem getattr;

 # stat() of /dev
 allow shell device:dir getattr;

 # allow shell to read /proc/pid/attr/current for ps -Z
 allow shell domain:process getattr;

 # Allow pulling the SELinux policy for CTS purposes
 allow shell selinuxfs:dir r_dir_perms;
 allow shell selinuxfs:file r_file_perms;

 # enable shell domain to read/write files/dirs for bootchart data
 # User will creates the start and stop file via adb shell
 # and read other files created by init process under /data/bootchart
 allow shell bootchart_data_file:dir rw_dir_perms;
 allow shell bootchart_data_file:file create_file_perms;

 # Make sure strace works for the non-privileged shell user
 allow shell self:process ptrace;

 # allow shell to get battery info
 allow shell sysfs:dir r_dir_perms;
 allow shell sysfs_batteryinfo:dir r_dir_perms;
 allow shell sysfs_batteryinfo:file r_file_perms;

 # Allow access to ion memory allocation device.
 allow shell ion_device:chr_file rw_file_perms;

 #
 # filesystem test for insecure chr_file's is done
 # via a host side test
 #
 allow shell dev_type:dir r_dir_perms;
 allow shell dev_type:chr_file getattr;

 # /dev/fd is a symlink
 allow shell proc:lnk_file getattr;

 #
 # filesystem test for insucre blk_file's is done
 # via hostside test
 #
 allow shell dev_type:blk_file getattr;

 # read selinux policy files
 allow shell file_contexts_file:file r_file_perms;
 allow shell property_contexts_file:file r_file_perms;
 allow shell seapp_contexts_file:file r_file_perms;
 allow shell service_contexts_file:file r_file_perms;
 allow shell sepolicy_file:file r_file_perms;

 # Allow shell to start up vendor shell
 allow shell vendor_shell_exec:file rx_file_perms;

 # Everything is labeled as rootfs in recovery mode. Allow shell to
 # execute them.
 recovery_only(`
   allow shell rootfs:file rx_file_perms;
 ')

 ###
 ### Neverallow rules
 ###

 # Do not allow shell to hard link to any files.
 # In particular, if shell hard links to app data
 # files, installd will not be able to guarantee the deletion
 # of the linked to file. Hard links also contribute to security
 # bugs, so we want to ensure the shell user never has this
 # capability.
 neverallow shell file_type:file link;

 # Do not allow privileged socket ioctl commands
 neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

 # limit shell access to sensitive char drivers to
 # only getattr required for host side test.
 neverallow shell {
   fuse_device
   hw_random_device
   port_device
 }:chr_file ~getattr;

 # Limit shell to only getattr on blk devices for host side tests.
 neverallow shell dev_type:blk_file ~getattr;

 # b/30861057: Shell access to existing input devices is an abuse
 # vector. The shell user can inject events that look like they
 # originate from the touchscreen etc.
 # Everyone should have already moved to UiAutomation#injectInputEvent
 # if they are running instrumentation tests (i.e. CTS), Monkey for
 # their stress tests, and the input command (adb shell input ...) for
 # injecting swipes and things.
 neverallow shell input_device:chr_file no_w_file_perms;
	# Domain for shell processes spawned by ADB or console service.
	type shell, domain, mlstrustedsubject;
	type shell_exec, system_file_type, exec_type, file_type;

	# Create and use network sockets.
	net_domain(shell)

	# logcat
	read_logd(shell)
	control_logd(shell)
	# logcat -L (directly, or via dumpstate)
	allow shell pstorefs:dir search;
	allow shell pstorefs:file r_file_perms;

	# Root fs.
	allow shell rootfs:dir r_dir_perms;

	# read files in /data/anr
	allow shell anr_data_file:dir r_dir_perms;
	allow shell anr_data_file:file r_file_perms;

	# Access /data/local/tmp.
	allow shell shell_data_file:dir create_dir_perms;
	allow shell shell_data_file:file create_file_perms;
	allow shell shell_data_file:file rx_file_perms;
	allow shell shell_data_file:lnk_file create_file_perms;

	# Read and delete from /data/local/traces.
	allow shell trace_data_file:file { r_file_perms unlink };
	allow shell trace_data_file:dir { r_dir_perms remove_name write };

	# Access /data/misc/profman.
	allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
	allow shell profman_dump_data_file:file { unlink r_file_perms };

	# Read/execute files in /data/nativetest
	userdebug_or_eng(`
	allow shell nativetest_data_file:dir r_dir_perms;
	allow shell nativetest_data_file:file rx_file_perms;
	')

	# adb bugreport
	unix_socket_connect(shell, dumpstate, dumpstate)

	allow shell devpts:chr_file rw_file_perms;
	allow shell tty_device:chr_file rw_file_perms;
	allow shell console_device:chr_file rw_file_perms;

	allow shell input_device:dir r_dir_perms;
	allow shell input_device:chr_file r_file_perms;

	r_dir_file(shell, system_file)
	allow shell system_file:file x_file_perms;
	allow shell toolbox_exec:file rx_file_perms;
	allow shell tzdatacheck_exec:file rx_file_perms;
	allow shell shell_exec:file rx_file_perms;
	allow shell zygote_exec:file rx_file_perms;

	r_dir_file(shell, apk_data_file)

	# Set properties.
	set_prop(shell, shell_prop)
	set_prop(shell, ctl_bugreport_prop)
	set_prop(shell, ctl_dumpstate_prop)
	set_prop(shell, dumpstate_prop)
	set_prop(shell, exported_dumpstate_prop)
	set_prop(shell, debug_prop)
	set_prop(shell, powerctl_prop)
	set_prop(shell, log_tag_prop)
	set_prop(shell, wifi_log_prop)
	# Allow shell to start/stop traced via the persist.traced.enable
	# property (which also takes care of /data/misc initialization).
	set_prop(shell, traced_enabled_prop)
	# adjust is_loggable properties
	userdebug_or_eng(`set_prop(shell, log_prop)')
	# logpersist script
	userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
	# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
	# property.
	set_prop(shell, heapprofd_enabled_prop)
	# Allow shell to start/stop traced_perf via the persist.traced_perf.enable
	# property.
	set_prop(shell, traced_perf_enabled_prop)
	# Allow shell to start/stop gsid via ctl.start\|stop\|restart gsid.
	set_prop(shell, ctl_gsid_prop)
	# Allow shell to enable Dynamic System Update
	set_prop(shell, dynamic_system_prop)
	# Allow shell to mock an OTA using persist.pm.mock-upgrade
	set_prop(shell, mock_ota_prop)

	userdebug_or_eng(`
	# "systrace --boot" support - allow boottrace service to run
	allow shell boottrace_data_file:dir rw_dir_perms;
	allow shell boottrace_data_file:file create_file_perms;
	set_prop(shell, persist_debug_prop)
	')

	# Read device's serial number from system properties
	get_prop(shell, serialno_prop)

	# Allow shell to read the vendor security patch level for CTS
	get_prop(shell, vendor_security_patch_level_prop)

	# Read state of logging-related properties
	get_prop(shell, device_logging_prop)

	# Read state of boot reason properties
	get_prop(shell, bootloader_boot_reason_prop)
	get_prop(shell, last_boot_reason_prop)
	get_prop(shell, system_boot_reason_prop)

	# Allow reading the outcome of perf_event_open LSM support test for CTS.
	get_prop(shell, init_perf_lsm_hooks_prop)

	# allow shell access to services
	allow shell servicemanager:service_manager list;
	# don't allow shell to access GateKeeper service
	# TODO: why is this so broad? Tightening candidate? It needs at list:
	# - dumpstate_service (so it can receive dumpstate progress updates)
	allow shell {
	service_manager_type
	-apex_service
	-dnsresolver_service
	-gatekeeper_service
	-incident_service
	-installd_service
	-iorapd_service
	-netd_service
	-system_suspend_control_service
	-virtual_touchpad_service
	-vold_service
	-vr_hwc_service
	-default_android_service
	}:service_manager find;
	allow shell dumpstate:binder call;

	# allow shell to get information from hwservicemanager
	# for instance, listing hardware services with lshal
	hwbinder_use(shell)
	allow shell hwservicemanager:hwservice_manager list;

	# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
	r_dir_file(shell, proc_net_type)

	allow shell {
	proc_asound
	proc_filesystems
	proc_interrupts
	proc_loadavg # b/124024827
	proc_meminfo
	proc_modules
	proc_pid_max
	proc_slabinfo
	proc_stat
	proc_timer
	proc_uptime
	proc_version
	proc_vmstat
	proc_zoneinfo
	}:file r_file_perms;

	# allow listing network interfaces under /sys/class/net.
	allow shell sysfs_net:dir r_dir_perms;

	r_dir_file(shell, cgroup)
	allow shell domain:dir { search open read getattr };
	allow shell domain:{ file lnk_file } { open read getattr };

	# statvfs() of /proc and other labeled filesystems
	# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
	allow shell { proc labeledfs }:filesystem getattr;

	# stat() of /dev
	allow shell device:dir getattr;

	# allow shell to read /proc/pid/attr/current for ps -Z
	allow shell domain:process getattr;

	# Allow pulling the SELinux policy for CTS purposes
	allow shell selinuxfs:dir r_dir_perms;
	allow shell selinuxfs:file r_file_perms;

	# enable shell domain to read/write files/dirs for bootchart data
	# User will creates the start and stop file via adb shell
	# and read other files created by init process under /data/bootchart
	allow shell bootchart_data_file:dir rw_dir_perms;
	allow shell bootchart_data_file:file create_file_perms;

	# Make sure strace works for the non-privileged shell user
	allow shell self:process ptrace;

	# allow shell to get battery info
	allow shell sysfs:dir r_dir_perms;
	allow shell sysfs_batteryinfo:dir r_dir_perms;
	allow shell sysfs_batteryinfo:file r_file_perms;

	# Allow access to ion memory allocation device.
	allow shell ion_device:chr_file rw_file_perms;

	#
	# filesystem test for insecure chr_file's is done
	# via a host side test
	#
	allow shell dev_type:dir r_dir_perms;
	allow shell dev_type:chr_file getattr;

	# /dev/fd is a symlink
	allow shell proc:lnk_file getattr;

	#
	# filesystem test for insucre blk_file's is done
	# via hostside test
	#
	allow shell dev_type:blk_file getattr;

	# read selinux policy files
	allow shell file_contexts_file:file r_file_perms;
	allow shell property_contexts_file:file r_file_perms;
	allow shell seapp_contexts_file:file r_file_perms;
	allow shell service_contexts_file:file r_file_perms;
	allow shell sepolicy_file:file r_file_perms;

	# Allow shell to start up vendor shell
	allow shell vendor_shell_exec:file rx_file_perms;

	# Everything is labeled as rootfs in recovery mode. Allow shell to
	# execute them.
	recovery_only(`
	allow shell rootfs:file rx_file_perms;
	')

	###
	### Neverallow rules
	###

	# Do not allow shell to hard link to any files.
	# In particular, if shell hard links to app data
	# files, installd will not be able to guarantee the deletion
	# of the linked to file. Hard links also contribute to security
	# bugs, so we want to ensure the shell user never has this
	# capability.
	neverallow shell file_type:file link;

	# Do not allow privileged socket ioctl commands
	neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

	# limit shell access to sensitive char drivers to
	# only getattr required for host side test.
	neverallow shell {
	fuse_device
	hw_random_device
	port_device
	}:chr_file ~getattr;

	# Limit shell to only getattr on blk devices for host side tests.
	neverallow shell dev_type:blk_file ~getattr;

	# b/30861057: Shell access to existing input devices is an abuse
	# vector. The shell user can inject events that look like they
	# originate from the touchscreen etc.
	# Everyone should have already moved to UiAutomation#injectInputEvent
	# if they are running instrumentation tests (i.e. CTS), Monkey for
	# their stress tests, and the input command (adb shell input ...) for
	# injecting swipes and things.
	neverallow shell input_device:chr_file no_w_file_perms;