shell.te

# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
type shell_exec, exec_type, file_type;

# Create and use network sockets.
net_domain(shell)

# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)

# logcat
read_logd(shell)
control_logd(shell)
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;
# logpersistd (nee logcatd) files
userdebug_or_eng(`
  allow shell misc_logd_file:dir r_dir_perms;
  allow shell misc_logd_file:file r_file_perms;
')

# Root fs.
allow shell rootfs:dir r_dir_perms;

# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
allow shell anr_data_file:file r_file_perms;

# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;

# Access /data/misc/profman.
allow shell profman_dump_data_file:dir { search getattr write remove_name };
allow shell profman_dump_data_file:file { getattr unlink };

# Read/execute files in /data/nativetest
userdebug_or_eng(`
  allow shell nativetest_data_file:dir r_dir_perms;
  allow shell nativetest_data_file:file rx_file_perms;
')

# adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate)

allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
allow shell input_device:dir r_dir_perms;
allow shell input_device:chr_file rw_file_perms;
r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;

r_dir_file(shell, apk_data_file)

# Set properties.
set_prop(shell, shell_prop)
set_prop(shell, ctl_bugreport_prop)
set_prop(shell, ctl_dumpstate_prop)
set_prop(shell, dumpstate_prop)
set_prop(shell, debug_prop)
set_prop(shell, powerctl_prop)
set_prop(shell, log_tag_prop)
set_prop(shell, wifi_log_prop)
userdebug_or_eng(`set_prop(shell, log_prop)')
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')

# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;

userdebug_or_eng(`
  # "systrace --boot" support - allow boottrace service to run
  allow shell boottrace_data_file:dir rw_dir_perms;
  allow shell boottrace_data_file:file create_file_perms;
  set_prop(shell, persist_debug_prop)
')

# allow shell access to services
allow shell servicemanager:service_manager list;
# don't allow shell to access GateKeeper service
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
allow shell { service_manager_type -gatekeeper_service -netd_service}:service_manager find;
allow shell dumpstate:binder call;

# allow shell to look through /proc/ for ps, top, netstat
r_dir_file(shell, proc)
r_dir_file(shell, proc_net)
allow shell proc_interrupts:file r_file_perms;
allow shell proc_meminfo:file r_file_perms;
allow shell proc_stat:file r_file_perms;
allow shell proc_timer:file r_file_perms;
allow shell proc_zoneinfo:file r_file_perms;
r_dir_file(shell, cgroup)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };

# statvfs() of /proc and other labeled filesystems
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs)
allow shell { proc labeledfs }:filesystem getattr;

# stat() of /dev
allow shell device:dir getattr;

# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;

# Allow pulling the SELinux policy for CTS purposes
allow shell selinuxfs:dir r_dir_perms;
allow shell selinuxfs:file r_file_perms;

# enable shell domain to read/write files/dirs for bootchart data
# User will creates the start and stop file via adb shell
# and read other files created by init process under /data/bootchart
allow shell bootchart_data_file:dir rw_dir_perms;
allow shell bootchart_data_file:file create_file_perms;

# Make sure strace works for the non-privileged shell user
allow shell self:process ptrace;

# allow shell to get battery info
allow shell sysfs_batteryinfo:file r_file_perms;
allow shell sysfs:dir r_dir_perms;

# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;

# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow shell media_rw_data_file:dir create_dir_perms;
allow shell media_rw_data_file:file create_file_perms;

#
# filesystem test for insecure chr_file's is done
# via a host side test
#
allow shell dev_type:dir r_dir_perms;
allow shell dev_type:chr_file getattr;

# /dev/fd is a symlink
allow shell proc:lnk_file getattr;

#
# filesystem test for insucre blk_file's is done
# via hostside test
#
allow shell dev_type:blk_file getattr;

###
### Neverallow rules
###

# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure the shell user never has this
# capability.
neverallow shell file_type:file link;

# Do not allow privileged socket ioctl commands
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;

# limit shell access to sensitive char drivers to
# only getattr required for host side test.
neverallow shell {
  fuse_device
  hw_random_device
  kmem_device
  port_device
}:chr_file ~getattr;

# Limit shell to only getattr on blk devices for host side tests.
neverallow shell dev_type:blk_file ~getattr;