shell.te: revoke syslog(2) access to shell user

external/toybox commit a583afc812cf7be74ebab72294c8df485908ff04 started having dmesg use /dev/kmsg, which is unreadable to the unprivileged shell user. Revoke syslog(2) to the shell user for consistency. The kernel dmesg log is a source of kernel pointers, which can leak kASLR information from the kernel. Restricting access to kernel information will make attacks against Android more difficult. Having said that, dmesg information is still available from "adb bugreport", so this change doesn't completely shutdown kernel info leaks. This change essentially reverts us to the state we were in between Nov 8 2011 and May 27 2014. During that almost 3 year period, the unprivileged shell user was unable to access dmesg, and there was only one complaint during that time. References: * https://android.googlesource.com/platform/system/core/+/f9557fb * https://android.googlesource.com/platform/system/sepolicy/+/f821b5a TODO: Further unify /dev/kmsg permissions with syslog_read permissions. Test: policy compiles, no dmesg output Change-Id: Icfff6f765055bdbbe85f302b781aed2568ef532f

shell.te: revoke syslog(2) access to shell user
external/toybox commit a583afc812cf7be74ebab72294c8df485908ff04 started having dmesg use /dev/kmsg, which is unreadable to the unprivileged shell user. Revoke syslog(2) to the shell user for consistency. The kernel dmesg log is a source of kernel pointers, which can leak kASLR information from the kernel. Restricting access to kernel information will make attacks against Android more difficult. Having said that, dmesg information is still available from "adb bugreport", so this change doesn't completely shutdown kernel info leaks. This change essentially reverts us to the state we were in between Nov 8 2011 and May 27 2014. During that almost 3 year period, the unprivileged shell user was unable to access dmesg, and there was only one complaint during that time. References: * https://android.googlesource.com/platform/system/core/+/f9557fb * https://android.googlesource.com/platform/system/sepolicy/+/f821b5a TODO: Further unify /dev/kmsg permissions with syslog_read permissions. Test: policy compiles, no dmesg output Change-Id: Icfff6f765055bdbbe85f302b781aed2568ef532f
c9630dc6 · Nick Kralevich · 747c69f4 · c9630dc6 · c9630dc6
Commit c9630dc6 authored 8 years ago by Nick Kralevich
--- a/public/app.te
+++ b/public/app.te
@@ -425,10 +425,7 @@ neverallow appdomain
    proc:dir_file_class_set write;

 # Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain -system_app }
-    kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -shell }
-    kernel:system syslog_read;
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };

 # Ability to perform any filesystem operation other than statfs(2).
 # i.e. no mount(2), unmount(2), etc.

--- a/public/shell.te
+++ b/public/shell.te
@@ -85,9 +85,6 @@ userdebug_or_eng(`
  set_prop(shell, persist_debug_prop)
 ')

-# allow shell to run dmesg
-allow shell kernel:system syslog_read;
-
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service