From 712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Wed, 23 Oct 2013 13:25:53 -0400
Subject: [PATCH] Confine shell domain in -user builds only.

Confine the domain for an adb shell in -user builds only.
The shell domain in non-user builds is left permissive.
init_shell (shell spawned by init, e.g.  console service)
remains unconfined by this change.
Introduce a shelldomain attribute for rules common to all shell
domains, assign it to the shell types, and add shelldomain.te for
its rules.

Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 attributes     |  3 +++
 domain.te      | 13 ++++++++-----
 init_shell.te  |  4 +++-
 shell.te       | 16 ++++------------
 shell_user.te  | 11 +++--------
 shelldomain.te | 40 ++++++++++++++++++++++++++++++++++++++++
 6 files changed, 61 insertions(+), 26 deletions(-)
 create mode 100644 shelldomain.te

diff --git a/attributes b/attributes
index 6123d6c1b..bbc3d922b 100644
--- a/attributes
+++ b/attributes
@@ -50,6 +50,9 @@ attribute mlstrustedobject;
 # Domains that are allowed all permissions ("unconfined").
 attribute unconfineddomain;
 
+# All domains used for shells.
+attribute shelldomain;
+
 # All domains used for apps.
 attribute appdomain;
 
diff --git a/domain.te b/domain.te
index 3628f3236..d0e3ff43a 100644
--- a/domain.te
+++ b/domain.te
@@ -39,11 +39,11 @@ allow domain init:unix_stream_socket connectto;
 # Root fs.
 allow domain rootfs:dir r_dir_perms;
 allow domain rootfs:file r_file_perms;
-allow domain rootfs:lnk_file { read getattr };
+allow domain rootfs:lnk_file r_file_perms;
 
 # Device accesses.
 allow domain device:dir search;
-allow domain dev_type:lnk_file read;
+allow domain dev_type:lnk_file r_file_perms;
 allow domain devpts:dir search;
 allow domain device:file read;
 allow domain socket_device:dir search;
@@ -69,12 +69,12 @@ allow domain fs_type:dir getattr;
 allow domain system_file:dir r_dir_perms;
 allow domain system_file:file r_file_perms;
 allow domain system_file:file execute;
-allow domain system_file:lnk_file read;
+allow domain system_file:lnk_file r_file_perms;
 
 # Read files already opened under /data.
 allow domain system_data_file:dir { search getattr };
 allow domain system_data_file:file { getattr read };
-allow domain system_data_file:lnk_file read;
+allow domain system_data_file:lnk_file r_file_perms;
 
 # Read apk files under /data/app.
 allow domain apk_data_file:dir { getattr search };
@@ -87,7 +87,7 @@ allow domain dalvikcache_data_file:file r_file_perms;
 # Read already opened /cache files.
 allow domain cache_file:dir r_dir_perms;
 allow domain cache_file:file { getattr read };
-allow domain cache_file:lnk_file read;
+allow domain cache_file:lnk_file r_file_perms;
 
 # Read timezone related information
 r_dir_file(domain, zoneinfo_data_file)
@@ -110,6 +110,9 @@ r_dir_file(domain, cgroup)
 allow domain debugfs:dir r_dir_perms;
 allow domain debugfs:file w_file_perms;
 
+# Get SELinux enforcing status.
+selinux_getenforce(domain)
+
 # security files
 allow domain security_file:dir { search getattr };
 allow domain security_file:file getattr;
diff --git a/init_shell.te b/init_shell.te
index 696a6dcac..8ff5c488f 100644
--- a/init_shell.te
+++ b/init_shell.te
@@ -1,4 +1,6 @@
 # Restricted domain for shell processes spawned by init
-type init_shell, domain;
+type init_shell, domain, shelldomain;
 domain_auto_trans(init, shell_exec, init_shell)
 unconfined_domain(init_shell)
+
+# inherits from shelldomain.te
diff --git a/shell.te b/shell.te
index 17031b974..9fd7c6d30 100644
--- a/shell.te
+++ b/shell.te
@@ -1,20 +1,12 @@
 # Domain for shell processes spawned by ADB
-type shell, domain;
+type shell, domain, shelldomain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;
-unconfined_domain(shell)
 
 # Run app_process.
-# XXX Split into its own domain?
+# XXX Transition into its own domain?
 app_domain(shell)
 
-# shell is also permissive to permit setenforce.
+# userdebug/eng shell is also permissive to permit setenforce.
 permissive shell;
 
-# ndk-gdb invokes adb shell ps to find the app PID.
-r_dir_file(shell, non_system_app_set)
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shell app_data_file:dir search;
-
-# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
-allow shell non_system_app_set:process sigkill;
+# inherits from shelldomain.te
diff --git a/shell_user.te b/shell_user.te
index 1eccbd6fe..27a5cd095 100644
--- a/shell_user.te
+++ b/shell_user.te
@@ -1,14 +1,9 @@
 # Domain for shell processes spawned by ADB
-type shell, domain;
+type shell, domain, shelldomain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;
-unconfined_domain(shell)
 
 # Run app_process.
-# XXX Split into its own domain?
+# XXX Transition into its own domain?
 app_domain(shell)
 
-# ndk-gdb invokes adb shell ps to find the app PID.
-r_dir_file(shell, non_system_app_set)
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shell app_data_file:dir search;
+# inherits from shelldomain.te
diff --git a/shelldomain.te b/shelldomain.te
new file mode 100644
index 000000000..408e9daa3
--- /dev/null
+++ b/shelldomain.te
@@ -0,0 +1,40 @@
+# Rules for all shell domains (e.g. console service and adb shell).
+
+# Access /data/local/tmp.
+allow shelldomain shell_data_file:dir create_dir_perms;
+allow shelldomain shell_data_file:file create_file_perms;
+allow shelldomain shell_data_file:file rx_file_perms;
+
+# Access sdcard.
+allow shelldomain sdcard_type:dir rw_dir_perms;
+allow shelldomain sdcard_type:file create_file_perms;
+
+# adb bugreport
+unix_socket_connect(shelldomain, dumpstate, dumpstate)
+
+allow shelldomain rootfs:dir r_dir_perms;
+allow shelldomain devpts:chr_file rw_file_perms;
+allow shelldomain tty_device:chr_file rw_file_perms;
+allow shelldomain console_device:chr_file rw_file_perms;
+allow shelldomain input_device:chr_file rw_file_perms;
+allow shelldomain system_file:file x_file_perms;
+allow shelldomain shell_exec:file rx_file_perms;
+allow shelldomain zygote_exec:file rx_file_perms;
+
+r_dir_file(shelldomain, apk_data_file)
+allow shelldomain dalvikcache_data_file:file { write setattr };
+
+# Set properties.
+unix_socket_connect(shelldomain, property, init)
+allow shelldomain shell_prop:property_service set;
+allow shelldomain ctl_dumpstate_prop:property_service set;
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+r_dir_file(shelldomain, non_system_app_set)
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shelldomain app_data_file:dir search;
+
+# ps and ps -Z output for app processes.
+r_dir_file(shelldomain, appdomain)
+allow shelldomain appdomain:process getattr;
-- 
GitLab