diff options
Diffstat (limited to 'shell.te')
| -rw-r--r-- | shell.te | 135 |
1 files changed, 0 insertions, 135 deletions
diff --git a/shell.te b/shell.te deleted file mode 100644 index 8878873..0000000 --- a/shell.te +++ /dev/null @@ -1,135 +0,0 @@ -# Domain for shell processes spawned by ADB or console service. -type shell, domain, mlstrustedsubject; -type shell_exec, exec_type, file_type; - -# Create and use network sockets. -net_domain(shell) - -# Run app_process. -# XXX Transition into its own domain? -app_domain(shell) - -# logcat -read_logd(shell) -control_logd(shell) -# logcat -L (directly, or via dumpstate) -allow shell pstorefs:dir search; -allow shell pstorefs:file r_file_perms; -# logpersistd (nee logcatd) files -userdebug_or_eng(` - allow shell misc_logd_file:dir r_dir_perms; - allow shell misc_logd_file:file r_file_perms; -') - -# Root fs. -allow shell rootfs:dir r_dir_perms; - -# read files in /data/anr -allow shell anr_data_file:dir r_dir_perms; -allow shell anr_data_file:file r_file_perms; - -# Access /data/local/tmp. -allow shell shell_data_file:dir create_dir_perms; -allow shell shell_data_file:file create_file_perms; -allow shell shell_data_file:file rx_file_perms; -allow shell shell_data_file:lnk_file create_file_perms; - -# Read/execute files in /data/nativetest -userdebug_or_eng(` - allow shell nativetest_data_file:dir r_dir_perms; - allow shell nativetest_data_file:file rx_file_perms; -') - -# adb bugreport -unix_socket_connect(shell, dumpstate, dumpstate) - -allow shell devpts:chr_file rw_file_perms; -allow shell tty_device:chr_file rw_file_perms; -allow shell console_device:chr_file rw_file_perms; -allow shell input_device:dir r_dir_perms; -allow shell input_device:chr_file rw_file_perms; -r_dir_file(shell, system_file) -allow shell system_file:file x_file_perms; -allow shell toolbox_exec:file rx_file_perms; -allow shell shell_exec:file rx_file_perms; -allow shell zygote_exec:file rx_file_perms; - -r_dir_file(shell, apk_data_file) - -# Set properties. -set_prop(shell, shell_prop) -set_prop(shell, ctl_bugreport_prop) -set_prop(shell, ctl_dumpstate_prop) -set_prop(shell, dumpstate_prop) -set_prop(shell, debug_prop) -set_prop(shell, powerctl_prop) - -# systrace support - allow atrace to run -allow shell debugfs_tracing:dir r_dir_perms; -allow shell debugfs_tracing:file rw_file_perms; -allow shell debugfs_trace_marker:file getattr; -allow shell atrace_exec:file rx_file_perms; - -userdebug_or_eng(` - # "systrace --boot" support - allow boottrace service to run - allow shell boottrace_data_file:dir rw_dir_perms; - allow shell boottrace_data_file:file create_file_perms; - set_prop(shell, persist_debug_prop) -') - -# allow shell to run dmesg -allow shell kernel:system syslog_read; - -# allow shell access to services -allow shell servicemanager:service_manager list; -# don't allow shell to access GateKeeper service -allow shell { service_manager_type -gatekeeper_service }:service_manager find; - -# allow shell to look through /proc/ for ps, top, netstat -r_dir_file(shell, proc) -r_dir_file(shell, proc_net) -r_dir_file(shell, cgroup) -allow shell domain:dir { search open read getattr }; -allow shell domain:{ file lnk_file } { open read getattr }; - -# statvfs() of /proc and other labeled filesystems -# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs) -allow shell { proc labeledfs }:filesystem getattr; - -# stat() of /dev -allow shell device:dir getattr; - -# allow shell to read /proc/pid/attr/current for ps -Z -allow shell domain:process getattr; - -# Allow pulling the SELinux policy for CTS purposes -allow shell selinuxfs:dir r_dir_perms; -allow shell selinuxfs:file r_file_perms; - -# enable shell domain to read/write files/dirs for bootchart data -# User will creates the start and stop file via adb shell -# and read other files created by init process under /data/bootchart -allow shell bootchart_data_file:dir rw_dir_perms; -allow shell bootchart_data_file:file create_file_perms; - -# Make sure strace works for the non-privileged shell user -allow shell self:process ptrace; - -# allow shell to get battery info -allow shell sysfs_batteryinfo:file r_file_perms; -allow shell sysfs:dir r_dir_perms; - -# Allow access to ion memory allocation device. -allow shell ion_device:chr_file rw_file_perms; - -### -### Neverallow rules -### - -# Do not allow shell to hard link to any files. -# In particular, if shell hard links to app data -# files, installd will not be able to guarantee the deletion -# of the linked to file. Hard links also contribute to security -# bugs, so we want to ensure the shell user never has this -# capability. -neverallow shell file_type:file link; |