Skip to content
Snippets Groups Projects
Commit 42fb824c authored by Stephen Smalley's avatar Stephen Smalley
Browse files

Refactor the shell domains.


Originally we used the shell domain for ADB shell only and
the init_shell domain for the console service, both transitioned
via automatic domain transitions on sh.  So they originally
shared a common set of rules.  Then init_shell started to be used
for sh commands invoked by init.<board>.rc files, and we switched
the console service to just use the shell domain via seclabel entry
in init.rc.  Even most of the sh command instances in init.<board>.rc
files have been converted to use explicit seclabel options with
more specific domains (one lingering use is touch_fw_update service
in init.grouper.rc).  The primary purpose of init_shell at this point
is just to shed certain permissions from the init domain when init invokes
a shell command.  And init_shell and shell are quite different in
their permission requirements since the former is used now for
uid-0 processes spawned by init whereas the latter is used for
uid-shell processes spawned by adb or init.

Given these differences, drop the shelldomain attribute and take those
rules directly into shell.te.  init_shell was an unconfined_domain(),
so it loses nothing from this change.  Also switch init_shell to
permissive_or_unconfined() so that we can see its actual denials
in the future in userdebug/eng builds.

Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
parent 13d58863
No related branches found
No related tags found
No related merge requests found
......@@ -316,7 +316,7 @@ neverallow { appdomain -unconfineddomain }
# Access to syslog(2) or /proc/kmsg.
neverallow { appdomain -system_app }
kernel:system { syslog_mod syslog_console };
neverallow { appdomain -system_app -shelldomain }
neverallow { appdomain -system_app -shell }
kernel:system syslog_read;
# Ability to perform any filesystem operation other than statfs(2).
......
......@@ -50,9 +50,6 @@ attribute mlstrustedobject;
# Domains that are allowed all permissions ("unconfined").
attribute unconfineddomain;
# All domains used for shells.
attribute shelldomain;
# All domains used for apps.
attribute appdomain;
......
......@@ -248,7 +248,7 @@ neverallow {
domain
-appdomain
-dumpstate
-shelldomain
-shell
userdebug_or_eng(`-su')
-system_server
-zygote
......
# Restricted domain for shell processes spawned by init.
# Normally these are shell commands or scripts invoked via sh
# from an init*.rc file. No service should ever run in this domain.
type init_shell, domain, shelldomain;
type init_shell, domain;
domain_auto_trans(init, shell_exec, init_shell)
unconfined_domain(init_shell)
# inherits from shelldomain.te
permissive_or_unconfined(init_shell)
# Domain for shell processes spawned by ADB or console service.
type shell, domain, shelldomain, mlstrustedsubject;
type shell, domain, mlstrustedsubject;
type shell_exec, exec_type, file_type;
# Create and use network sockets.
......@@ -17,4 +17,38 @@ control_logd(shell)
allow shell anr_data_file:dir r_dir_perms;
allow shell anr_data_file:file r_file_perms;
# inherits from shelldomain.te
# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
# adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate)
allow shell rootfs:dir r_dir_perms;
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
allow shell input_device:chr_file rw_file_perms;
allow shell system_file:file x_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
r_dir_file(shell, apk_data_file)
# Set properties.
unix_socket_connect(shell, property, init)
allow shell shell_prop:property_service set;
allow shell ctl_dumpstate_prop:property_service set;
allow shell debug_prop:property_service set;
allow shell powerctl_prop:property_service set;
# systrace support - allow atrace to run
# debugfs doesn't support labeling individual files, so we have
# to grant read access to all of /sys/kernel/debug.
# Directory read access and file write access is already granted
# in domain.te.
allow shell debugfs:file r_file_perms;
# allow shell to run dmesg
allow shell kernel:system syslog_read;
# Rules for all shell domains (e.g. console service and adb shell).
# Access /data/local/tmp.
allow shelldomain shell_data_file:dir create_dir_perms;
allow shelldomain shell_data_file:file create_file_perms;
allow shelldomain shell_data_file:file rx_file_perms;
# adb bugreport
unix_socket_connect(shelldomain, dumpstate, dumpstate)
allow shelldomain rootfs:dir r_dir_perms;
allow shelldomain devpts:chr_file rw_file_perms;
allow shelldomain tty_device:chr_file rw_file_perms;
allow shelldomain console_device:chr_file rw_file_perms;
allow shelldomain input_device:chr_file rw_file_perms;
allow shelldomain system_file:file x_file_perms;
allow shelldomain shell_exec:file rx_file_perms;
allow shelldomain zygote_exec:file rx_file_perms;
r_dir_file(shelldomain, apk_data_file)
# Set properties.
unix_socket_connect(shelldomain, property, init)
allow shelldomain shell_prop:property_service set;
allow shelldomain ctl_dumpstate_prop:property_service set;
allow shelldomain debug_prop:property_service set;
allow shelldomain powerctl_prop:property_service set;
# systrace support - allow atrace to run
# debugfs doesn't support labeling individual files, so we have
# to grant read access to all of /sys/kernel/debug.
# Directory read access and file write access is already granted
# in domain.te.
allow shelldomain debugfs:file r_file_perms;
# allow shell to run dmesg
allow shelldomain kernel:system syslog_read;
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment