PWN-Hunter/android_system_sepolicy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7eb9143e46
android_system_sepolicy/public/shell.te

250 lines
7.6 KiB
Plaintext
Raw Normal View History

Clarify init_shell, shell, and su domain usage. init_shell domain is now only used for shell commands or scripts invoked by init*.rc files, never for an interactive shell. It was being used for console service for a while but console service is now assigned shell domain via seclabel in init.rc. We may want to reconsider the shelldomain rules for init_shell and whether they are still appropriate. shell domain is now used by both adb shell and console service, both of which also run in the shell UID. su domain is now used not only for /system/bin/su but also for adbd and its descendants after an adb root is performed. Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-02-21 10:45:29 -08:00
# Domain for shell processes spawned by ADB or console service.
Remove domain_deprecated from adbd and shell The extra permissions are not needed. Delete them. This change also adds read permission for /data/misc/zoneinfo back to all domains. libc refernces this directory for timezone related files, and it feels dangerous and of little value to try to restrict access. In particular, this causes problems when the shell user attempts to run "ls -la" to show file time stamps in the correct timezone. Bug: 25433265 Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
2015-11-27 19:18:17 -08:00
type shell, domain, mlstrustedsubject;
Introduce system_file_type system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
2018-09-27 10:21:37 -07:00
type shell_exec, system_file_type, exec_type, file_type;
SE Android policy.
2012-01-04 09:33:27 -08:00
Remove ping domain. ping in Android no longer requires any additional privileges beyond the caller. Drop the ping domain and executable file type entirely. Also add net_domain() to shell domain so that it can create and use network sockets. Change-Id: If51734abe572aecf8f510f1a55782159222e5a67 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-01-07 09:47:10 -08:00
# Create and use network sockets.
net_domain(shell)
selinux: add pstore Used to record the Android log messages, then on reboot provide a means to triage user-space actitivies leading up to a panic. A companion to the pstore console logs. Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
2014-12-15 12:01:35 -08:00
# logcat
shell: access to clear logs Bug: 13464830 Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d
2014-03-17 13:00:38 -07:00
read_logd(shell)
control_logd(shell)
selinux: add pstore Used to record the Android log messages, then on reboot provide a means to triage user-space actitivies leading up to a panic. A companion to the pstore console logs. Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
2014-12-15 12:01:35 -08:00
# logcat -L (directly, or via dumpstate)
allow shell pstorefs:dir search;
allow shell pstorefs:file r_file_perms;
shell: access to clear logs Bug: 13464830 Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d
2014-03-17 13:00:38 -07:00
Add permissions back to app / shell domains Allow directory reads to allow tab completion in rootfs to work. "pm" is crashing due to failure to access /data/dalvik-cache. Add back in the permissions from domain_deprecated. Allow /sdcard to work again. Bug: 25954400 Change-Id: I48cfa92fabfa47ed3007a63b85284659ba94ea73
2015-12-01 16:28:28 -08:00
# Root fs.
allow shell rootfs:dir r_dir_perms;
Allow adbd / shell /data/anr access The shell user needs to be able to run commands like "cat /data/anr/traces.txt". Allow it. We also need to be able to pull the file via adb. "adb pull /data/anr/traces.txt". Allow it. Addresses the following denials: <4>[ 20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file Bug: 15450720 Change-Id: I767102a7182895112838559b0ade1cd7c14459ab
2014-06-05 13:27:44 -07:00
# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
allow shell anr_data_file:file r_file_perms;
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 04:10:09 -07:00
# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
add permissions for adb shell to create symlinks in /data/local/tmp Bug: 18485243 Change-Id: Ic17baa0767ee1f1a27a3338558b86482ca92765e
2014-12-09 23:49:31 -08:00
allow shell shell_data_file:lnk_file create_file_perms;
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 04:10:09 -07:00
Adding write permissions to traceur Fixing denials that stopped traceur from being able to write to debugfs_tracing. Also cleaning up general find denials for services that traceur doesn't have permission to access. Additionally, labeling /data/local/trace as a trace_data_file in order to give traceur a UX friendly area to write its traces to now that it will no longer be a shell user. It will be write/readable by traceur, and deletable/readable by shell. Test: Traceur functionality is not being blocked by selinux policy Bug: 68126425 Change-Id: I201c82975a31094102e90bc81454d3c2a48fae36
2018-01-15 16:44:04 -08:00
# Read and delete from /data/local/traces.
allow shell trace_data_file:file { r_file_perms unlink };
allow shell trace_data_file:dir { r_dir_perms remove_name write };
SELinux policy for /data/misc/profman Bug: 28748264 Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5
2016-05-27 12:41:35 -07:00
# Access /data/misc/profman.
Allow system server to write profile snapshots in /data/misc/profman The goal is to allow creating profile snapshots from the shell command in order to be able to write CTS tests. The system server will dump profiles for debuggable in /data/misc/profman from where they will be pulled and verified by CTS tests. Test: adb shell cmd package snapshot-profile com.android.vending Bug: 74081010 (cherry picked from commit 687d5e46ce81608b308ff0ae4ba9edeb878be8aa) Merged-In: I54690305284b92c0e759538303cb98c93ce92dd5 Change-Id: I54690305284b92c0e759538303cb98c93ce92dd5
2018-05-04 17:44:33 -07:00
allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
allow shell profman_dump_data_file:file { unlink r_file_perms };
SELinux policy for /data/misc/profman Bug: 28748264 Change-Id: I872c25666707beb737f3ce7a4f706c0135df7ad5
2016-05-27 12:41:35 -07:00
Create a new SELinux type for /data/nativetest 1) Don't use the generic "system_data_file" for the files in /data/nativetest. Rather, ensure it has it's own special label. This allows us to distinguish these files from other files in SELinux policy. 2) Allow the shell user to execute files from /data/nativetest, on userdebug or eng builds only. 3) Add a neverallow rule (compile time assertion + CTS test) that nobody is allowed to execute these files on user builds, and only the shell user is allowed to execute these files on userdebug/eng builds. Bug: 25340994 Change-Id: I3e292cdd1908f342699d6c52f8bbbe6065359413
2015-10-28 16:45:58 -07:00
# Read/execute files in /data/nativetest
userdebug_or_eng(`
allow shell nativetest_data_file:dir r_dir_perms;
allow shell nativetest_data_file:file rx_file_perms;
')
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 04:10:09 -07:00
# adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate)
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
auditallow shell input_device:chr_file Test to see if anyone is writing to /dev/input from the shell. Bug: 30861057 Test: device boots and no avc granted messages. Change-Id: Ia3499ef9436f83cf13c633525348b63edd95990f
2018-08-24 11:57:49 -07:00
Allow shell to read/search /dev/input directory. Resolves denials such as: avc: denied { read } for pid=16758 comm="getevent" name="input" dev="tmpfs" ino=6018 scontext=u:r:shell:s0 tcontext=u:object_r:input_device:s0 tclass=dir Change-Id: I709bd20a03a5271382b191393d55a34b0b8e4e0c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 09:09:15 -07:00
allow shell input_device:dir r_dir_perms;
shell: remove /dev/input write access Shell access to existing input devices is an abuse vector. The shell user can inject events that look like they originate from the touchscreen etc. Everyone should have already moved to UiAutomation#injectInputEvent if they are running instrumentation tests (i.e. CTS), Monkey for their stress tests, and the input command (adb shell input ...) for injecting swipes and things. Remove the write ability for shell users, and add a neverallow assertion (which is also a CTS test) to prevent regressions. Bug: 30861057 Test: auditallow statement added in f617a404c2d3d43e1146a7237752aa1baab68918 hasn't triggered. Test: ran getevent, saw correct output, played with device Change-Id: Ia78eeec05f6015478dd32bd59505b51fef200a99
2018-08-28 09:12:28 -07:00
allow shell input_device:chr_file r_file_perms;
auditallow shell input_device:chr_file Test to see if anyone is writing to /dev/input from the shell. Bug: 30861057 Test: device boots and no avc granted messages. Change-Id: Ia3499ef9436f83cf13c633525348b63edd95990f
2018-08-24 11:57:49 -07:00
shell.te: Allow read access to system_file Certain tests depend on the ability to examine directories in /system. Allow it to the shell user. Addresses the following denials: avc: denied { read } for name="egl" dev="dm-1" ino=104 scontext=u:r:shell:s0 tcontext=u:object_r:system_file:s0 tclass=dir permissive=0 Bug: 26020967 Bug: 26023420 Change-Id: I509d921e159e99164c85fae9e8b2982a47573d14
2015-12-04 09:05:02 -08:00
r_dir_file(shell, system_file)
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 04:10:09 -07:00
allow shell system_file:file x_file_perms;
Only allow toolbox exec where /system exec was already allowed. When the toolbox domain was introduced, we allowed all domains to exec it to avoid breakage. However, only domains that were previously allowed the ability to exec /system files would have been able to do this prior to the introduction of the toolbox domain. Remove the rule from domain.te and add rules to all domains that are already allowed execute_no_trans to system_file. Requires coordination with device-specific policy changes with the same Change-Id. Change-Id: Ie46209f0412f9914857dc3d7c6b0917b7031aae5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-08-25 08:38:29 -07:00
allow shell toolbox_exec:file rx_file_perms;
Allow the shell user to run tzdatacheck Allow the shell user to run tzdatacheck, which is required to enable a new host side test. This change also adds some additional checks to tzdatacheck.te to ensure that OEMs opening up permissions further don't accidentally create a security hole. Bug: 31008728 Test: Ran CTS Change-Id: I6ebfb467526b6b2ea08f891420eea24c81ed1e36
2017-02-24 11:03:58 -08:00
allow shell tzdatacheck_exec:file rx_file_perms;
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 04:10:09 -07:00
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;
r_dir_file(shell, apk_data_file)
# Set properties.
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-04 18:22:45 -07:00
set_prop(shell, shell_prop)
Increase communication surface between dumpstate and Shell: - Add a new 'dumpstate' context for system properties. This context will be used to share state between dumpstate and Shell. For example, as dumpstate progresses, it will update a system property, which Shell will use to display the progress in the UI as a system notification. The user could also rename the bugreport file, in which case Shell would use another system property to communicate such change to dumpstate. - Allow Shell to call 'ctl.bugreport stop' so the same system notification can be used to stop dumpstate. BUG: 25794470 Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
2015-12-01 18:03:05 -08:00
set_prop(shell, ctl_bugreport_prop)
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-04 18:22:45 -07:00
set_prop(shell, ctl_dumpstate_prop)
Increase communication surface between dumpstate and Shell: - Add a new 'dumpstate' context for system properties. This context will be used to share state between dumpstate and Shell. For example, as dumpstate progresses, it will update a system property, which Shell will use to display the progress in the UI as a system notification. The user could also rename the bugreport file, in which case Shell would use another system property to communicate such change to dumpstate. - Allow Shell to call 'ctl.bugreport stop' so the same system notification can be used to stop dumpstate. BUG: 25794470 Change-Id: I74b80bda07292a91358f2eea9eb8444caabc5895
2015-12-01 18:03:05 -08:00
set_prop(shell, dumpstate_prop)
Whitelist exported platform properties This CL lists all the exported platform properties in private/exported_property_contexts. Additionally accessing core_property_type from vendor components is restricted. Instead public_readable_property_type is used to allow vendor components to read exported platform properties, and accessibility from vendor_init is also specified explicitly. Note that whitelisting would be applied only if PRODUCT_COMPATIBLE_PROPERTY is set on. Bug: 38146102 Test: tested on walleye with PRODUCT_COMPATIBLE_PROPERTY=true Change-Id: I304ba428cc4ca82668fec2ddeb17c971e7ec065e
2017-10-19 00:54:49 -07:00
set_prop(shell, exported_dumpstate_prop)
Replace unix_socket_connect() and explicit property sets with macro A common source of mistakes when authoring sepolicy is properly setting up property sets. This is a 3 part step of: 1. Allowing the unix domain connection to the init/property service 2. Allowing write on the property_socket file 3. Allowing the set on class property_service The macro unix_socket_connect() handled 1 and 2, but could be confusing for first time policy authors. 3 had to be explicitly added. To correct this, we introduce a new macros: set_prop(sourcedomain, targetprop) This macro handles steps 1, 2 and 3. No difference in sediff is expected. Change-Id: I630ba0178439c935d08062892990d43a3cc1239e Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
2015-05-04 18:22:45 -07:00
set_prop(shell, debug_prop)
set_prop(shell, powerctl_prop)
Allow shell to set log.tag.* properties Also allow shell to set persist.log.tag.* Bug: 28942894 Change-Id: Ifdb2c87871f159dd15338db372921297aea3bc6b
2016-06-01 11:14:14 -07:00
set_prop(shell, log_tag_prop)
set_prop(shell, wifi_log_prop)
sepolicy: allow shell to read/write traced prop This is to fix the CTS failures given by the bugs below where devices where traced is not enabled by default causes test failures. Bug: 78215159 Bug: 78347829 Change-Id: Ib0f6a1cdb770528dbbeb857368534ff5040e464e
2018-04-20 11:09:45 -07:00
# Allow shell to start/stop traced via the persist.traced.enable
# property (which also takes care of /data/misc initialization).
set_prop(shell, traced_enabled_prop)
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
# adjust is_loggable properties
limit shell's access to log.* properties Restrict the ability of the shell to set the log.* properties. Namely: only allow the shell to set such properities on eng and userdebug builds. The shell (and other domains) can continue to read log.* properties on all builds. While there: harmonize permissions for log.* and persist.log.tag. Doing so introduces two changes: - log.* is now writable from from |system_app|. This mirrors the behavior of persist.log.tag, which is writable to support "Developer options" -> "Logger buffer sizes" -> "Off". (Since this option is visible on user builds, the permission is enabled for all builds.) - persist.log.tag can now be set from |shell| on userdebug_or_eng(). BUG=28221972 TEST=manual (see below) Testing details - user build (log.tag) $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag <blank line> $ adb bugreport | grep log.tag.foo [ 146.525836] init: avc: denied { set } for property=log.tag.foo pid=4644 uid=2000 gid=2000 scontext=u:r:shell:s0 tcontext=u:object_r:log_prop:s0 tclass=property_service permissive=0 [ 146.525878] init: sys_prop: permission denied uid:2000 name:log.tag.foo - userdebug build (log.tag) $ adb shell getprop log.tag.foo <blank line> $ adb shell setprop log.tag.foo V $ adb shell getprop log.tag.foo V - user build (persist.log.tag) $ adb shell getprop | grep log.tag <no match> - Developer options -> Logger buffer sizes -> Off $ adb shell getprop | grep log.tag [persist.log.tag]: [Settings] [persist.log.tag.snet_event_log]: [I] Change-Id: Idf00e7a623723a7c46bf6d01e386aeca92b2ad75
2016-04-15 11:10:06 -07:00
userdebug_or_eng(`set_prop(shell, log_prop)')
logcat: introduce split to logd and logpersist domains - transition to logpersist from init - sort some overlapping negative references - intention is to allow logpersist to be used by vendor userdebug logging Test: gTest liblog-unit-tests, logd-unit-tests & logcat-unit-tests Bug: 30566487 Change-Id: I7806f5a2548cbe0c1f257a0ba2855f2eb69d8e7c
2016-08-10 11:10:02 -07:00
# logpersist script
logpersist: reserve persist.logd.logpersistd shell, system_app and logd access granted on debug builds only Bug: 28936216 Change-Id: Ib9648e8565cc0ea0077cf0950b0e4ac6fe0a3135
2016-06-06 12:18:46 -07:00
userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
Add persist.heapprofd.enable property. This is analoguous to what Perfetto does with persist.traced.enable. Test: m Test: flash walleye Test: setprop persist.heapprofd.enable 1 setprop persist.heapprofd.enable 0 Change-Id: I997272ef8c6fe078aca2388ed0cf2ecc3de612a5
2018-12-10 08:20:20 -08:00
# Allow shell to start/stop heapprofd via the persist.heapprofd.enable
# property.
set_prop(shell, heapprofd_enabled_prop)
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 04:10:09 -07:00
Add SELinux settings to support tracing during boot. This CL adds the SELinux settings required to support tracing during boot. https://android-review.googlesource.com/#/c/157163/ BUG: 21739901 Change-Id: Ib3a7107776141ac8cf4f1ca06674f47a0d4b6ae0
2015-06-23 23:24:17 -07:00
userdebug_or_eng(`
# "systrace --boot" support - allow boottrace service to run
allow shell boottrace_data_file:dir rw_dir_perms;
allow shell boottrace_data_file:file create_file_perms;
set_prop(shell, persist_debug_prop)
')
Refactor the shell domains. Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-06-11 04:10:09 -07:00
Enable ADB shell access to ro.serialno 6e4508e625e29f1a782428447de142e96498b5e4 inadvertently removed access to ro.serialno and ro.boot.serialno from ADB shell. This is needed for CTS. This commit thus reinstates the access. Test: adb shell getprop ro.serialno Bug: 33700679 Change-Id: I62de44b1631c03fcd64ceabaf33bbaeb869c2851
2016-12-28 17:44:33 -08:00
# Read device's serial number from system properties
get_prop(shell, serialno_prop)
Adding labeling for vendor security patch prop This will allow adb shell getprop ro.vendor.build.security_patch to properly return the correct build property, whereas previously it was offlimits due to lack of label. Test: adb shell getprop ro.vendor.build.security_patch successfully returns whatever VENDOR_SECURITY_PATCH is defined to be in the Android .mk files Change-Id: Ie8427738125fc7f909ad8d51e4b76558f5544d49
2018-03-29 18:21:31 -07:00
# Allow shell to read the vendor security patch level for CTS
get_prop(shell, vendor_security_patch_level_prop)
Let shell and bugreport read logging related properties. Currently ro.device_owner and persist.logd.security aren't accessible without root, so "adb shell getprop" returns empty reply which is confusing. Also these properties aren't seen from bugreport unless their change happened recently. Bug: 37053313 Test: manual, took bugreport and ran getprop after "adb unroot". Change-Id: Id41cdabc282f2ebcdfc0ac7fe9df756322a0863d
2017-04-20 10:02:50 -07:00
# Read state of logging-related properties
get_prop(shell, device_logging_prop)
Switch /data/misc/reboot/last_reboot_reason to persistent property Switch from /data/misc/reboot/last_reboot_reason to persistent Android property persist.sys.boot.reason for indicating why the device is rebooted or shutdown. Introduce protection for all boot reason properties Protect the following properties with these labels ro.boot.bootreason u:object_r:bootloader_boot_reason_prop:s0 sys.boot.reason u:object_r:sys_boot_reason_prop:s0 persist.sys.boot.reason u:object_r:last_boot_reason_prop:s0 Setup the current as-need access rules for each. ToDo: Remove u:object_r:reboot_data_file after internal fixes. Test: system/core/bootstat/boot_reason_test.sh Bug: 64687998 Change-Id: I3771c73933e8ae2d94aee936c7a38b6282611b80
2017-08-14 14:25:10 -07:00
# Read state of boot reason properties
get_prop(shell, bootloader_boot_reason_prop)
get_prop(shell, last_boot_reason_prop)
get_prop(shell, system_boot_reason_prop)
Allow shell to find all services. dumpsys from shell results in many denials: 11-08 02:52:13.087 171 171 E SELinux : avc: denied { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.089 171 171 E SELinux : avc: denied { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager 11-08 02:52:13.093 171 171 E SELinux : avc: denied { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager 11-08 02:52:13.103 171 171 E SELinux : avc: denied { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.104 171 171 E SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.114 171 171 E SELinux : avc: denied { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.114 171 171 E SELinux : avc: denied { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.118 171 171 E SELinux : avc: denied { find } for service=nfc scontext=u:r:shell:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager 11-08 02:52:13.130 171 171 E SELinux : avc: denied { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.379 171 171 E SELinux : avc: denied { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager 11-08 02:52:13.388 171 171 E SELinux : avc: denied { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager 11-08 02:52:13.574 171 171 E SELinux : avc: denied { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.576 171 171 E SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager 11-08 02:52:13.712 171 171 E SELinux : avc: denied { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.712 171 171 E SELinux : avc: denied { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager Bug: 18799966 Change-Id: Id2bf69230338ac9dd45dc5d70f419fa41056e4fc
2015-01-23 15:55:42 -08:00
# allow shell access to services
Allow dumpstate and shell to list services. Addresses the following denials: avc: denied { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager avc: denied { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager Bug: 18864737 Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
2014-12-30 15:21:50 -08:00
allow shell servicemanager:service_manager list;
SELinux permissions for gatekeeper TEE proxy sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
2015-04-03 16:46:33 -07:00
# don't allow shell to access GateKeeper service
Added permissions for the dumpstate service. - Allow dumpstate to create the dumpservice service. - Allow System Server and Shell to find that service. - Don't allow anyone else to create that service. - Don't allow anyone else to find that service. BUG: 31636879 Test: manual verification Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
2016-10-28 15:52:15 -07:00
# TODO: why is this so broad? Tightening candidate? It needs at list:
# - dumpstate_service (so it can receive dumpstate progress updates)
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
allow shell {
service_manager_type
Add policy for apexd. apexd is a new daemon for managing APEX packages installed on the device. It hosts a single binder service, "apexservice". Bug: 112455435 Test: builds, binder service can be registered, apexes can be accessed, verified and mounted Change-Id: I634ad100f10b2edcd9a9c0df0d33896fa5d4ed97
2018-08-17 00:35:42 -07:00
-apex_service
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
-gatekeeper_service
-incident_service
-installd_service
iorapd: Add new binder service iorapd. This daemon is very locked down. Only system_server can access it. Bug: 72170747 Change-Id: I7b72b9191cb192be96001d84d067c28292c9688f
2018-10-05 14:48:29 -07:00
-iorapd_service
Sync internal master and AOSP sepolicy. Bug: 37916906 Test: Builds 'n' boots. Change-Id: Ia1d86264446ebecc1ca79f32f11354921bc77668 Merged-In: I208ec6a864127a059fb389417a9c6b259d7474cb
2017-09-26 12:58:29 -07:00
-netd_service
-virtual_touchpad_service
-vold_service
-vr_hwc_service
}:service_manager find;
Added permissions for the dumpstate service. - Allow dumpstate to create the dumpservice service. - Allow System Server and Shell to find that service. - Don't allow anyone else to create that service. - Don't allow anyone else to find that service. BUG: 31636879 Test: manual verification Change-Id: I642fe873560a2b123e6bafde645467d45a5f5711
2016-10-28 15:52:15 -07:00
allow shell dumpstate:binder call;
Allow shell to read /proc. Grant shell read access to /proc taken away by commit: 0d3f7ddc70572382edec58841b3d6262abf49f49 Addresses the following denials encountered when running ps or top. Bug: 18799966 Change-Id: If764adeade562d884c3d710f1cd1cb34011efe89
2015-01-16 13:39:59 -08:00
shell: hwbinder_use In order to dump hardware services using dumpsys, dumpsys needs to be able to talk to the hwservicemanager. Bug: 33382892 Test: dumpsys --hw works from unrooted shell Change-Id: I31f0982193991428da465507f93d50646cb38726
2017-01-20 15:19:32 -08:00
# allow shell to get information from hwservicemanager
shell.te: hwbinder for lshal Update shell.te to reflect the fact that hwbinder_user permission is for lshal, not dumpsys. Bug: 33382892 Test: pass Change-Id: I1d298261cea82177436a662afbaa767f00117b16
2017-02-13 15:42:42 -08:00
# for instance, listing hardware services with lshal
shell: hwbinder_use In order to dump hardware services using dumpsys, dumpsys needs to be able to talk to the hwservicemanager. Bug: 33382892 Test: dumpsys --hw works from unrooted shell Change-Id: I31f0982193991428da465507f93d50646cb38726
2017-01-20 15:19:32 -08:00
hwbinder_use(shell)
Add hwservice_contexts and support for querying it. hwservicemanager can check hwservice_contexts files both from the framework and vendor partitions. Initially, have a wildcard '*' in hwservice_contexts that maps to a label that can be added/found from domain. This needs to be removed when the proper policy is in place. Also, grant su/shell access to hwservicemanager list operations, so tools like 'lshal' continue to work. Bug: 34454312 Test: Marlin boots Change-Id: I3a02d97a82458692b528d85c1b8e78b6f82ea1bc
2017-04-07 16:14:43 -07:00
allow shell hwservicemanager:hwservice_manager list;
shell: hwbinder_use In order to dump hardware services using dumpsys, dumpsys needs to be able to talk to the hwservicemanager. Bug: 33382892 Test: dumpsys --hw works from unrooted shell Change-Id: I31f0982193991428da465507f93d50646cb38726
2017-01-20 15:19:32 -08:00
Shell: grant permission to run lsmod lsmod needs access to /proc/modules Test: build, run lsmod Change-Id: Icb6ea6ce791cc6a22c89aa8e90c44749497c8468
2017-10-20 12:38:17 -07:00
# allow shell to look through /proc/ for lsmod, ps, top, netstat.
Start the process of locking down proc/net Files in /proc/net leak information. This change is the first step in determining which files apps may use, whitelisting benign access, and otherwise removing access while providing safe alternative APIs. To that end, this change: * Introduces the proc_net_type attribute which will assigned to any new SELinux types in /proc/net to avoid removing access to privileged processes. These processes may be evaluated later, but are lower priority than apps. * Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing use by VPN apps. This may be replaced by an alternative API. * Audits all other proc/net access for apps. * Audits proc/net access for other processes which are currently granted broad read access to /proc/net but should not be including storaged, zygote, clatd, logd, preopt2cachename and vold. Bug: 9496886 Bug: 68016944 Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube navigate maps, send text message, make voice call, make video call. Verify no avc "granted" messages in the logs. Test: A few VPN apps including "VPN Monster", "Turbo VPN", and "Freighter". Verify no logspam with the current setup. Test: atest CtsNativeNetTestCases Test: atest netd_integration_test Test: atest QtaguidPermissionTest Test: atest FileSystemPermissionTest Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457 Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457 (cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 12:47:48 -07:00
r_dir_file(shell, proc_net_type)
shell: neverallow access to 'proc' label. Added access to proc_uptime and proc_asound to address these denials: avc: denied { read } for name="uptime" dev="proc" ino=4026532080 scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/asound/version" dev="proc" ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0 tclass=file permissive=1 Bug: 65643247 Test: device boots with no denial from 'shell' domain. Test: lsmod, ps, top, netstat Test: No denials triggered from CtsSecurityHostTestCases Test: external/toybox/run-tests-on-android.sh does not pass, but triggers no denials from 'shell' domain to 'proc' type. Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153
2017-11-13 09:50:03 -08:00
allow shell {
proc_asound
proc_filesystems
proc_interrupts
Allow shell /proc/loadavg access Needed for the bionic stdlib.getloadavg test. Access to /proc/loadavg was inadvertantly removed when a new label was assigned to that file in system/sepolicy commit 8c2323d3f9d052ddb7c2a3ef87db59d13f5021c0. Addresses the following denial: CtsBionicTestCa: type=1400 audit(0.0:188192): avc: denied { read } for name="loadavg" dev="proc" ino=4026531959 scontext=u:r:shell:s0 tcontext=u:object_r:proc_loadavg:s0 tclass=file permissive=0 Bug: 124024827 Test: compiles Change-Id: Iadb5c98cb96f69ddc9418a64720370adae1bb51f
2019-02-20 13:33:03 -08:00
proc_loadavg # b/124024827
shell: neverallow access to 'proc' label. Added access to proc_uptime and proc_asound to address these denials: avc: denied { read } for name="uptime" dev="proc" ino=4026532080 scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/asound/version" dev="proc" ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0 tclass=file permissive=1 Bug: 65643247 Test: device boots with no denial from 'shell' domain. Test: lsmod, ps, top, netstat Test: No denials triggered from CtsSecurityHostTestCases Test: external/toybox/run-tests-on-android.sh does not pass, but triggers no denials from 'shell' domain to 'proc' type. Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153
2017-11-13 09:50:03 -08:00
proc_meminfo
proc_modules
Label /proc/sys/kernel/pid_max as proc_pid_max. And give shell domain read access to /proc/sys/kernel/pic_max. Bug: 69569397 Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests --gtest_filter=pthread.pthread_mutex_owner_tid_limit Change-Id: Ib56c18ed553ad2c2113e6913788a4c00965483cc
2017-11-28 08:42:40 -08:00
proc_pid_max
access to /proc/slabinfo init, dumpstate and shell Test: check avc for init is now gone Bug: 7232205 Bug: 109821005 Change-Id: I299a0ba29bcc97a97047f12a5c48f6056f5e6de5
2018-06-14 07:34:19 -07:00
proc_slabinfo
shell: neverallow access to 'proc' label. Added access to proc_uptime and proc_asound to address these denials: avc: denied { read } for name="uptime" dev="proc" ino=4026532080 scontext=u:r:shell:s0 tcontext=u:object_r:proc_uptime:s0 tclass=file permissive=1 avc: denied { getattr } for path="/proc/asound/version" dev="proc" ino=4026532017 scontext=u:r:shell:s0 tcontext=u:object_r:proc_asound:s0 tclass=file permissive=1 Bug: 65643247 Test: device boots with no denial from 'shell' domain. Test: lsmod, ps, top, netstat Test: No denials triggered from CtsSecurityHostTestCases Test: external/toybox/run-tests-on-android.sh does not pass, but triggers no denials from 'shell' domain to 'proc' type. Change-Id: Ia4c26fd616e33e5962c6707a855dc24e338ec153
2017-11-13 09:50:03 -08:00
proc_stat
proc_timer
proc_uptime
proc_version
proc_zoneinfo
}:file r_file_perms;
shell: directory access to sysfs_net This will allow bionic cts test to list network interfaces in /sys/class/net. Bug: 70537905 Test: adb shell /data/nativetest/bionic-unit-tests/bionic-unit-tests --gtest_filter=ifaddrs.getifaddrs_interfaces Change-Id: Ie07425fc54f9101e911962142824697e64d2bc45
2017-12-12 09:34:13 -08:00
# allow listing network interfaces under /sys/class/net.
allow shell sysfs_net:dir r_dir_perms;
Remove domain_deprecated from adbd and shell The extra permissions are not needed. Delete them. This change also adds read permission for /data/misc/zoneinfo back to all domains. libc refernces this directory for timezone related files, and it feels dangerous and of little value to try to restrict access. In particular, this causes problems when the shell user attempts to run "ls -la" to show file time stamps in the correct timezone. Bug: 25433265 Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
2015-11-27 19:18:17 -08:00
r_dir_file(shell, cgroup)
Allow shell to read /proc. Grant shell read access to /proc taken away by commit: 0d3f7ddc70572382edec58841b3d6262abf49f49 Addresses the following denials encountered when running ps or top. Bug: 18799966 Change-Id: If764adeade562d884c3d710f1cd1cb34011efe89
2015-01-16 13:39:59 -08:00
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };
bootchart: add policy rules for bootchart allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2014-12-04 21:40:22 -08:00
undeprecate /proc/cpuinfo, more shell permissions Access to /proc/cpuinfo was moved to domain_deprecated in commit 6e3506e1ba83fb47297c8908016397c8f17840c4. Restore access to everyone. Allow the shell user to stat() /dev, and vfsstat() /proc and other labeled filesystems such as /system and /data. Access to /proc/cpuinfo was explicitly granted to bootanim, but is no longer required after moving it back to domain.te. Delete the redundant entry. Commit 4e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9 restored access to /sys/devices/system/cpu for all domains, but forgot to remove the redundant entry from bootanim.te. Cleanup the redundant entry. Addresses the following denials: avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0 avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0 avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0 avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0 Bug: 26295417 Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
2015-12-22 16:41:27 -08:00
# statvfs() of /proc and other labeled filesystems
fs_mgr: add overlayfs handling for squashfs system filesystems /cache/overlay directory in support of overlayfs mounts on userdebug and eng devices. Overlayfs in turn can be capable of supporting adb remount for read-only or restricted-storage filesystems like squashfs or right-sized (zero free space) system partitions respectively. Test: compile Bug: 109821005 Bug: 110985612 Change-Id: I3ece03886db7cc97f864497cf93ec6c6c39bccd1
2018-06-13 08:02:29 -07:00
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
undeprecate /proc/cpuinfo, more shell permissions Access to /proc/cpuinfo was moved to domain_deprecated in commit 6e3506e1ba83fb47297c8908016397c8f17840c4. Restore access to everyone. Allow the shell user to stat() /dev, and vfsstat() /proc and other labeled filesystems such as /system and /data. Access to /proc/cpuinfo was explicitly granted to bootanim, but is no longer required after moving it back to domain.te. Delete the redundant entry. Commit 4e2d22451f9645f7ab39b94b1ec0f0f5a5c5b2e9 restored access to /sys/devices/system/cpu for all domains, but forgot to remove the redundant entry from bootanim.te. Cleanup the redundant entry. Addresses the following denials: avc: denied { getattr } for pid=23648 comm="bionic-unit-tes" name="/" dev="proc" ino=1 scontext=u:r:shell:s0 tcontext=u:object_r:proc:s0 tclass=filesystem permissive=0 avc: denied { read } for name="cpuinfo" dev="proc" ino=4026533615 scontext=u:r:shell:s0 tcontext=u:object_r:proc_cpuinfo:s0 tclass=file permissive=0 avc: denied { getattr } for pid=23713 comm="bionic-unit-tes" path="/dev" dev="tmpfs" ino=11405 scontext=u:r:shell:s0 tcontext=u:object_r:device:s0 tclass=dir permissive=0 avc: denied { getattr } for name="/" dev="mmcblk0p30" ino=2 scontext=u:r:shell:s0 tcontext=u:object_r:labeledfs:s0 tclass=filesystem permissive=0 Bug: 26295417 Change-Id: Ia85ac91cbd43235c0f8fe0aebafffb8046cc77ec
2015-12-22 16:41:27 -08:00
allow shell { proc labeledfs }:filesystem getattr;
# stat() of /dev
allow shell device:dir getattr;
Allow shell to read /proc/pid/attr/current for ps -Z. Needed since Iff1e601e1268d4d77f64788d733789a2d2cd18cc removed it from appdomain. Change-Id: I9fc08b525b9868f0fb703b99b0c0c17ca8b656f9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2015-03-16 08:43:22 -07:00
# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;
shell.te: allow pulling the currently running SELinux policy Allow pulling the currently running SELinux policy for CTS. Change-Id: I82ec03724a8e5773b3b693c4f39cc7b5c3ae4516
2015-12-03 13:28:14 -08:00
# Allow pulling the SELinux policy for CTS purposes
allow shell selinuxfs:dir r_dir_perms;
allow shell selinuxfs:file r_file_perms;
bootchart: add policy rules for bootchart allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
2014-12-04 21:40:22 -08:00
# enable shell domain to read/write files/dirs for bootchart data
# User will creates the start and stop file via adb shell
# and read other files created by init process under /data/bootchart
allow shell bootchart_data_file:dir rw_dir_perms;
allow shell bootchart_data_file:file create_file_perms;
neverallow shell file_type:file link Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e
2015-04-16 08:43:10 -07:00
allow shell self:process ptrace; Allow the non-privileged adb shell user to run strace. Without this patch, the command "strace /system/bin/ls" fails with the following error: shell@android:/ $ strace /system/bin/ls strace: ptrace(PTRACE_TRACEME, ...): Permission denied +++ exited with 1 +++ Change-Id: I207fe0f71941bff55dbeb6fe130e636418f333ee
2015-10-15 13:35:01 -07:00
# Make sure strace works for the non-privileged shell user
allow shell self:process ptrace;
Add sysfs_batteryinfo label. Shell user needs to be able to get current device battery_level via /sys/class/power_supply/battery/capacity. Create a global label and corresponding policy for accessing this. Rely on each device to label the appropriate sysfs entry. Bug: 26219114 Change-Id: I2c5ef489a9db2fdf7bbd5afd04278214b814351c
2016-01-05 14:32:54 -08:00
# allow shell to get battery info
Allow shell to read sysfs dirs. Bug: 26219114 Change-Id: I300899d610258704eb2d45488700eadb7a686606
2016-01-13 09:02:36 -08:00
allow shell sysfs:dir r_dir_perms;
shell: allow reading battery info dirs in /sys Addresses: avc: denied { search } for comm="sh" name="bms" dev="sysfs" ino=47908 scontext=u:r:shell:s0 tcontext=u:object_r:sysfs_batteryinfo:s0 tclass=dir Test: build Change-Id: I8a0197417c47feefba084e9c75933d28c5f6e5f1
2017-10-13 10:26:44 -07:00
allow shell sysfs_batteryinfo:dir r_dir_perms;
allow shell sysfs_batteryinfo:file r_file_perms;
shell.te: allow rules before neverallow rules By convention, allow rules should be placed before neverallow rules. Change-Id: Icb9155bcce1f77bebbf9dc83a8c7b97e161c88a5
2015-12-22 09:40:03 -08:00
# Allow access to ion memory allocation device.
allow shell ion_device:chr_file rw_file_perms;
shell: enable hostside test: testAllCharacterDevicesAreSecure Enable shell to have access to /dev for running the world accessable mode test on /dev. This approach adds shell to the list of excluded domains on neverallows around chr_files, but locks down the access for shell to only getattr. It was done this lightly more complicated way to prevent loosening the allow rules so that any domain would have getattr permissions. Change-Id: Idab466fa226ddbf004fcb1bbcaf98c8326605253
2016-03-23 17:26:42 -07:00
#
# filesystem test for insecure chr_file's is done
# via a host side test
#
allow shell dev_type:dir r_dir_perms;
allow shell dev_type:chr_file getattr;
# /dev/fd is a symlink
allow shell proc:lnk_file getattr;
shell: enable hostside test: testAllBlockDevicesAreSecure Enable rules to allow shell to getattr on all block files for checking modes under /dev/block. Exempt shell from any neverallows on blk_file and limit them to only getattr. bug: 28306036 Change-Id: Ic26c0f7acfb238ff78d5d3537d51c1a70c64d196 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-04-05 08:19:27 -07:00
#
# filesystem test for insucre blk_file's is done
# via hostside test
#
allow shell dev_type:blk_file getattr;
resolve merge conflicts of 9221e73 to nyc-dev-plus-aosp Change-Id: I4afb6e977955af3d8a74ada7df6705746f83bc6d
2016-04-28 13:54:48 -07:00
adbd/shell: grant access to sepolicy for cts Test: Test: make cts && \ cts-tradefed run singleCommand cts --skip-device-info \ --skip-preconditions --skip-connectivity-check --abi arm64-v8a \ --module CtsSecurityHostTestCases \ -t android.security.cts.SELinuxHostTest#testNoExemptionsForBinderInVendorBan Fails as expected. Bug: 36002573 Change-Id: I298c526789b25734d5f18666c64497e5d1e181d0
2017-04-03 16:31:09 -07:00
# read selinux policy files
allow shell file_contexts_file:file r_file_perms;
allow shell property_contexts_file:file r_file_perms;
allow shell seapp_contexts_file:file r_file_perms;
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;
Allow shell to start vendor shell Test: adb shell /vendor/bin/sh Fixes: 65448858 Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6
2018-01-11 11:01:30 -08:00
# Allow shell to start up vendor shell
allow shell vendor_shell_exec:file rx_file_perms;
adbd is allowed to execute shell in recovery mode The shell is now available directly in the recovery ramdisk. We no longer need to mount system.img to /system as the recovery ramdisk is self-contained. However, there is a problem that every file in the ramdisk is labeled as rootfs because the ramdisk does not support xattr. This CL adds several recovery-only rules that are required to make the recovery ramdisk self-contained. Most importantly, adbd is allowed to domain_trans to shell. Also shell is allowe to execute files of type rootfs. Finally, the recovery is allowed to mount on tmpfs since it now mounts system.img to /mnt/system. Bug: 63673171 Test: `adb reboot recovery; adb devices` shows the device ID Test: `adb root && adb shell` and then $ lsof -p `pidof adbd` shows that libm.so, libc.so, etc. are loaded from the /lib directory. Change-Id: If21b069aee63541344a5ca8939fb9a46ffef4d3e
2018-05-31 20:31:33 -07:00
# Everything is labeled as rootfs in recovery mode. Allow shell to
# execute them.
recovery_only(`
allow shell rootfs:file rx_file_perms;
')
shell.te: allow rules before neverallow rules By convention, allow rules should be placed before neverallow rules. Change-Id: Icb9155bcce1f77bebbf9dc83a8c7b97e161c88a5
2015-12-22 09:40:03 -08:00
###
### Neverallow rules
###
neverallow shell file_type:file link Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e
2015-04-16 08:43:10 -07:00
# Do not allow shell to hard link to any files.
# In particular, if shell hard links to app data
# files, installd will not be able to guarantee the deletion
# of the linked to file. Hard links also contribute to security
# bugs, so we want to ensure the shell user never has this
# capability.
neverallow shell file_type:file link;
shell: Reduce socket ioctl perms Only allow shell to access the same subset of ioctl commands as untrusted_app. This reduces the attack surface of the kernel available to a local attacker. Bug: 26324307 Bug: 26267358 Change-Id: Ib8ecb9546af5fb480d2622149d4e00ec50cd4cde
2016-01-05 07:42:16 -08:00
# Do not allow privileged socket ioctl commands
expand scope of priv_sock_ioctls neverallows From self to domain Change-Id: I97aeea67a6b66bc307715a050cf7699e5be9715e
2016-01-05 09:36:12 -08:00
neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
resolve merge conflicts of 9221e73 to nyc-dev-plus-aosp Change-Id: I4afb6e977955af3d8a74ada7df6705746f83bc6d
2016-04-28 13:54:48 -07:00
shell: enable hostside test: testAllCharacterDevicesAreSecure Enable shell to have access to /dev for running the world accessable mode test on /dev. This approach adds shell to the list of excluded domains on neverallows around chr_files, but locks down the access for shell to only getattr. It was done this lightly more complicated way to prevent loosening the allow rules so that any domain would have getattr permissions. Change-Id: Idab466fa226ddbf004fcb1bbcaf98c8326605253
2016-03-23 17:26:42 -07:00
# limit shell access to sensitive char drivers to
# only getattr required for host side test.
neverallow shell {
fuse_device
hw_random_device
/dev/port does not seem to be used, adding in rules to confirm. Only init and ueventd have any access to /dev/port, and neither should have any use for it. As it stands, leaving port in just represents additional attack surface with no useful functionality, so it should be removed if possible, not only from Pixel devices, but from all Android devices. Test: The phone boots successfully Bug:33301618 Change-Id: Iedc51590f1ffda02444587d647889ead9bdece3f
2016-12-04 15:11:29 -08:00
port_device
shell: enable hostside test: testAllCharacterDevicesAreSecure Enable shell to have access to /dev for running the world accessable mode test on /dev. This approach adds shell to the list of excluded domains on neverallows around chr_files, but locks down the access for shell to only getattr. It was done this lightly more complicated way to prevent loosening the allow rules so that any domain would have getattr permissions. Change-Id: Idab466fa226ddbf004fcb1bbcaf98c8326605253
2016-03-23 17:26:42 -07:00
}:chr_file ~getattr;
shell: enable hostside test: testAllBlockDevicesAreSecure Enable rules to allow shell to getattr on all block files for checking modes under /dev/block. Exempt shell from any neverallows on blk_file and limit them to only getattr. bug: 28306036 Change-Id: Ic26c0f7acfb238ff78d5d3537d51c1a70c64d196 Signed-off-by: William Roberts <william.c.roberts@intel.com>
2016-04-05 08:19:27 -07:00
# Limit shell to only getattr on blk devices for host side tests.
neverallow shell dev_type:blk_file ~getattr;
shell: remove /dev/input write access Shell access to existing input devices is an abuse vector. The shell user can inject events that look like they originate from the touchscreen etc. Everyone should have already moved to UiAutomation#injectInputEvent if they are running instrumentation tests (i.e. CTS), Monkey for their stress tests, and the input command (adb shell input ...) for injecting swipes and things. Remove the write ability for shell users, and add a neverallow assertion (which is also a CTS test) to prevent regressions. Bug: 30861057 Test: auditallow statement added in f617a404c2d3d43e1146a7237752aa1baab68918 hasn't triggered. Test: ran getevent, saw correct output, played with device Change-Id: Ia78eeec05f6015478dd32bd59505b51fef200a99
2018-08-28 09:12:28 -07:00
# b/30861057: Shell access to existing input devices is an abuse
# vector. The shell user can inject events that look like they
# originate from the touchscreen etc.
# Everyone should have already moved to UiAutomation#injectInputEvent
# if they are running instrumentation tests (i.e. CTS), Monkey for
# their stress tests, and the input command (adb shell input ...) for
# injecting swipes and things.
neverallow shell input_device:chr_file no_w_file_perms;
Reference in New Issue Copy Permalink