PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
618efe8cd3
android_system_sepolicy/shell.te

86 lines
2.9 KiB
Plaintext
Raw Normal View History

Clarify init_shell, shell, and su domain usage. init_shell domain is now only used for shell commands or scripts invoked by init*.rc files, never for an interactive shell. It was being used for console service for a while but console service is now assigned shell domain via seclabel in init.rc. We may want to reconsider the shelldomain rules for init_shell and whether they are still appropriate. shell domain is now used by both adb shell and console service, both of which also run in the shell UID. su domain is now used not only for /system/bin/su but also for adbd and its descendants after an adb root is performed. Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-21 10:45:29 -08:00
# Domain for shell processes spawned by ADB or console service.
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 04:10:09 -07:00
type shell, domain, mlstrustedsubject;
Make sure exec_type is assigned to all entrypoint types. Some file types used as domain entrypoints were missing the exec_type attribute. Add it and add a neverallow rule to keep it that way. Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-09-27 07:38:14 -07:00
type shell_exec, exec_type, file_type;
SE Android policy.
2012-01-04 09:33:27 -08:00
Remove ping domain. ping in Android no longer requires any additional privileges beyond the caller. Drop the ping domain and executable file type entirely. Also add net_domain() to shell domain so that it can create and use network sockets. Change-Id: If51734abe572aecf8f510f1a55782159222e5a67 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-07 09:47:10 -08:00
# Create and use network sockets.
net_domain(shell)
SE Android policy.
2012-01-04 09:33:27 -08:00
# Run app_process.
Confine shell domain in -user builds only. Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-10-23 10:25:53 -07:00
# XXX Transition into its own domain?
SE Android policy.
2012-01-04 09:33:27 -08:00
app_domain(shell)
Restrict the ability to set SELinux enforcing mode to init. Also make su and shell permissive in non-user builds to allow use of setenforce without violating the neverallow rule. Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2013-12-02 11:18:11 -08:00
selinux: add pstore Used to record the Android log messages, then on reboot provide a means to triage user-space actitivies leading up to a panic. A companion to the pstore console logs. Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
2014-12-15 12:01:35 -08:00
# logcat
shell: access to clear logs Bug: 13464830 Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d
2014-03-17 13:00:38 -07:00
read_logd(shell)
control_logd(shell)
selinux: add pstore Used to record the Android log messages, then on reboot provide a means to triage user-space actitivies leading up to a panic. A companion to the pstore console logs. Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
2014-12-15 12:01:35 -08:00
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;
shell: access to clear logs Bug: 13464830 Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d
2014-03-17 13:00:38 -07:00
Allow adbd / shell /data/anr access The shell user needs to be able to run commands like "cat /data/anr/traces.txt". Allow it. We also need to be able to pull the file via adb. "adb pull /data/anr/traces.txt". Allow it. Addresses the following denials: <4>[ 20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file Bug: 15450720 Change-Id: I767102a7182895112838559b0ade1cd7c14459ab
2014-06-05 13:27:44 -07:00
# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
allow shell anr_data_file:file r_file_perms;
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 04:10:09 -07:00
# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
add permissions for adb shell to create symlinks in /data/local/tmp Bug: 18485243 Change-Id: Ic17baa0767ee1f1a27a3338558b86482ca92765e
2014-12-09 23:49:31 -08:00
allow shell shell_data_file:lnk_file create_file_perms;
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 04:10:09 -07:00
# adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate)
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
Allow shell to read/search /dev/input directory. Resolves denials such as: avc: denied { read } for pid=16758 comm="getevent" name="input" dev="tmpfs" ino=6018 scontext=u:r:shell:s0 tcontext=u:object_r:input_device:s0 tclass=dir Change-Id: I709bd20a03a5271382b191393d55a34b0b8e4e0c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 09:09:15 -07:00
allow shell input_device:dir r_dir_perms;
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 04:10:09 -07:00
allow shell input_device:chr_file rw_file_perms;
allow shell system_file:file x_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
r_dir_file(shell, apk_data_file)
# Set properties.
unix_socket_connect(shell, property, init)
allow shell shell_prop:property_service set;
allow shell ctl_dumpstate_prop:property_service set;
allow shell debug_prop:property_service set;
allow shell powerctl_prop:property_service set;
# systrace support - allow atrace to run
# debugfs doesn't support labeling individual files, so we have
# to grant read access to all of /sys/kernel/debug.
# Directory read access and file write access is already granted
# in domain.te.
allow shell debugfs:file r_file_perms;
# allow shell to run dmesg
allow shell kernel:system syslog_read;
Allow dumpstate and shell to list services. Addresses the following denials: avc: denied { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager avc: denied { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager Bug: 18864737 Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
2014-12-30 15:21:50 -08:00
Allow shell to find all services. dumpsys from shell results in many denials: 11-08 02:52:13.087 171 171 E SELinux : avc: denied { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.089 171 171 E SELinux : avc: denied { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager 11-08 02:52:13.093 171 171 E SELinux : avc: denied { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager 11-08 02:52:13.103 171 171 E SELinux : avc: denied { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.104 171 171 E SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.114 171 171 E SELinux : avc: denied { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.114 171 171 E SELinux : avc: denied { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.118 171 171 E SELinux : avc: denied { find } for service=nfc scontext=u:r:shell:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager 11-08 02:52:13.130 171 171 E SELinux : avc: denied { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.379 171 171 E SELinux : avc: denied { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager 11-08 02:52:13.388 171 171 E SELinux : avc: denied { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager 11-08 02:52:13.574 171 171 E SELinux : avc: denied { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.576 171 171 E SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager 11-08 02:52:13.712 171 171 E SELinux : avc: denied { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.712 171 171 E SELinux : avc: denied { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager Bug: 18799966 Change-Id: Id2bf69230338ac9dd45dc5d70f419fa41056e4fc
2015-01-23 15:55:42 -08:00
# allow shell access to services
Allow dumpstate and shell to list services. Addresses the following denials: avc: denied { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager avc: denied { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager Bug: 18864737 Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
2014-12-30 15:21:50 -08:00
allow shell servicemanager:service_manager list;
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
2015-04-03 16:46:33 -07:00
# don't allow shell to access GateKeeper service
allow shell { service_manager_type -gatekeeper_service }:service_manager find;
Record observed system_server servicemanager service requests. Also formally allow dumpstate access to all services and grant system_server access to address the following non-system_server_service entries: avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager Bug: 18106000 Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
2015-03-03 11:20:15 -08:00
service_manager_local_audit_domain(shell)
Allow shell to read /proc. Grant shell read access to /proc taken away by commit: 0d3f7ddc70572382edec58841b3d6262abf49f49 Addresses the following denials encountered when running ps or top. Bug: 18799966 Change-Id: If764adeade562d884c3d710f1cd1cb34011efe89
2015-01-16 13:39:59 -08:00
# allow shell to look through /proc/ for ps, top
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
bootchart: add policy rules for bootchart allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2014-12-04 21:40:22 -08:00
Allow shell to read /proc/pid/attr/current for ps -Z. Needed since Iff1e601e1268d4d77f64788d733789a2d2cd18cc removed it from appdomain. Change-Id: I9fc08b525b9868f0fb703b99b0c0c17ca8b656f9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-16 08:43:22 -07:00
# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;
bootchart: add policy rules for bootchart allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2014-12-04 21:40:22 -08:00
# enable shell domain to read/write files/dirs for bootchart data
# User will creates the start and stop file via adb shell
# and read other files created by init process under /data/bootchart
allow shell bootchart_data_file:dir rw_dir_perms;
allow shell bootchart_data_file:file create_file_perms;
neverallow shell file_type:file link Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e
2015-04-16 08:43:10 -07:00
# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure the shell user never has this
# capability.
neverallow shell file_type:file link;
Reference in New Issue Copy Permalink