android_system_sepolicy/shell.te

# Domain for shell processes spawned by ADB or console service.
type shell, domain, shelldomain, mlstrustedsubject;
type shell_exec, exec_type, file_type;

# Create and use network sockets.
net_domain(shell)

# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)

# logd access
read_logd(shell)
control_logd(shell)

# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
allow shell anr_data_file:file r_file_perms;

# inherits from shelldomain.te
Clarify init_shell, shell, and su domain usage. init_shell domain is now only used for shell commands or scripts invoked by init*.rc files, never for an interactive shell. It was being used for console service for a while but console service is now assigned shell domain via seclabel in init.rc. We may want to reconsider the shelldomain rules for init_shell and whether they are still appropriate. shell domain is now used by both adb shell and console service, both of which also run in the shell UID. su domain is now used not only for /system/bin/su but also for adbd and its descendants after an adb root is performed. Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-02-21 10:45:29 -08:00			`# Domain for shell processes spawned by ADB or console service.`
Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-23 10:25:53 -07:00			`type shell, domain, shelldomain, mlstrustedsubject;`
Make sure exec_type is assigned to all entrypoint types. Some file types used as domain entrypoints were missing the exec_type attribute. Add it and add a neverallow rule to keep it that way. Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-09-27 07:38:14 -07:00			`type shell_exec, exec_type, file_type;`
SE Android policy. 2012-01-04 09:33:27 -08:00
Remove ping domain. ping in Android no longer requires any additional privileges beyond the caller. Drop the ping domain and executable file type entirely. Also add net_domain() to shell domain so that it can create and use network sockets. Change-Id: If51734abe572aecf8f510f1a55782159222e5a67 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2014-01-07 09:47:10 -08:00			`# Create and use network sockets.`
			`net_domain(shell)`

SE Android policy. 2012-01-04 09:33:27 -08:00			`# Run app_process.`
Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-23 10:25:53 -07:00			`# XXX Transition into its own domain?`
SE Android policy. 2012-01-04 09:33:27 -08:00			`app_domain(shell)`
Restrict the ability to set SELinux enforcing mode to init. Also make su and shell permissive in non-user builds to allow use of setenforce without violating the neverallow rule. Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-02 11:18:11 -08:00
shell: access to clear logs Bug: 13464830 Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d 2014-03-17 13:00:38 -07:00			`# logd access`
			`read_logd(shell)`
			`control_logd(shell)`

Allow adbd / shell /data/anr access The shell user needs to be able to run commands like "cat /data/anr/traces.txt". Allow it. We also need to be able to pull the file via adb. "adb pull /data/anr/traces.txt". Allow it. Addresses the following denials: <4>[ 20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file Bug: 15450720 Change-Id: I767102a7182895112838559b0ade1cd7c14459ab 2014-06-05 13:27:44 -07:00			`# read files in /data/anr`
			`allow shell anr_data_file:dir r_dir_perms;`
			`allow shell anr_data_file:file r_file_perms;`

Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-23 10:25:53 -07:00			`# inherits from shelldomain.te`