From c9630dc6a1bdf918ffb8ea6853327f2abf4fe11e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 16 Nov 2016 10:22:51 -0800
Subject: [PATCH] shell.te: revoke syslog(2) access to shell user

external/toybox commit a583afc812cf7be74ebab72294c8df485908ff04 started
having dmesg use /dev/kmsg, which is unreadable to the unprivileged
shell user. Revoke syslog(2) to the shell user for consistency.

The kernel dmesg log is a source of kernel pointers, which can leak
kASLR information from the kernel. Restricting access to kernel
information will make attacks against Android more difficult. Having
said that, dmesg information is still available from "adb bugreport", so
this change doesn't completely shutdown kernel info leaks.

This change essentially reverts us to the state we were in between Nov 8
2011 and May 27 2014. During that almost 3 year period, the unprivileged
shell user was unable to access dmesg, and there was only one complaint
during that time.

References:
* https://android.googlesource.com/platform/system/core/+/f9557fb
* https://android.googlesource.com/platform/system/sepolicy/+/f821b5a

TODO: Further unify /dev/kmsg permissions with syslog_read permissions.

Test: policy compiles, no dmesg output
Change-Id: Icfff6f765055bdbbe85f302b781aed2568ef532f
---
 public/app.te   | 5 +----
 public/shell.te | 3 ---
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/public/app.te b/public/app.te
index 6cb3382cc..7f51574b3 100644
--- a/public/app.te
+++ b/public/app.te
@@ -425,10 +425,7 @@ neverallow appdomain
     proc:dir_file_class_set write;
 
 # Access to syslog(2) or /proc/kmsg.
-neverallow { appdomain -system_app }
-    kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -shell }
-    kernel:system syslog_read;
+neverallow appdomain kernel:system { syslog_read syslog_mod syslog_console };
 
 # Ability to perform any filesystem operation other than statfs(2).
 # i.e. no mount(2), unmount(2), etc.
diff --git a/public/shell.te b/public/shell.te
index 0e747b73f..b00c9efd4 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -85,9 +85,6 @@ userdebug_or_eng(`
   set_prop(shell, persist_debug_prop)
 ')
 
-# allow shell to run dmesg
-allow shell kernel:system syslog_read;
-
 # allow shell access to services
 allow shell servicemanager:service_manager list;
 # don't allow shell to access GateKeeper service
-- 
GitLab