diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2014-06-11 07:10:09 -0400 |
---|---|---|
committer | Stephen Smalley <sds@tycho.nsa.gov> | 2014-06-11 07:31:34 -0400 |
commit | 42fb824ca9f3e46b4419f05083f2694ac67a8229 (patch) | |
tree | 20240b28d2930833ff54ced771e0cdd389075b64 /shell.te | |
parent | 13d5886363675915e5115ccc0a95ca5d7776730b (diff) | |
download | android_external_sepolicy-42fb824ca9f3e46b4419f05083f2694ac67a8229.tar.gz android_external_sepolicy-42fb824ca9f3e46b4419f05083f2694ac67a8229.tar.bz2 android_external_sepolicy-42fb824ca9f3e46b4419f05083f2694ac67a8229.zip |
Refactor the shell domains.
Originally we used the shell domain for ADB shell only and
the init_shell domain for the console service, both transitioned
via automatic domain transitions on sh. So they originally
shared a common set of rules. Then init_shell started to be used
for sh commands invoked by init.<board>.rc files, and we switched
the console service to just use the shell domain via seclabel entry
in init.rc. Even most of the sh command instances in init.<board>.rc
files have been converted to use explicit seclabel options with
more specific domains (one lingering use is touch_fw_update service
in init.grouper.rc). The primary purpose of init_shell at this point
is just to shed certain permissions from the init domain when init invokes
a shell command. And init_shell and shell are quite different in
their permission requirements since the former is used now for
uid-0 processes spawned by init whereas the latter is used for
uid-shell processes spawned by adb or init.
Given these differences, drop the shelldomain attribute and take those
rules directly into shell.te. init_shell was an unconfined_domain(),
so it loses nothing from this change. Also switch init_shell to
permissive_or_unconfined() so that we can see its actual denials
in the future in userdebug/eng builds.
Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Diffstat (limited to 'shell.te')
-rw-r--r-- | shell.te | 38 |
1 files changed, 36 insertions, 2 deletions
@@ -1,5 +1,5 @@ # Domain for shell processes spawned by ADB or console service. -type shell, domain, shelldomain, mlstrustedsubject; +type shell, domain, mlstrustedsubject; type shell_exec, exec_type, file_type; # Create and use network sockets. @@ -17,4 +17,38 @@ control_logd(shell) allow shell anr_data_file:dir r_dir_perms; allow shell anr_data_file:file r_file_perms; -# inherits from shelldomain.te +# Access /data/local/tmp. +allow shell shell_data_file:dir create_dir_perms; +allow shell shell_data_file:file create_file_perms; +allow shell shell_data_file:file rx_file_perms; + +# adb bugreport +unix_socket_connect(shell, dumpstate, dumpstate) + +allow shell rootfs:dir r_dir_perms; +allow shell devpts:chr_file rw_file_perms; +allow shell tty_device:chr_file rw_file_perms; +allow shell console_device:chr_file rw_file_perms; +allow shell input_device:chr_file rw_file_perms; +allow shell system_file:file x_file_perms; +allow shell shell_exec:file rx_file_perms; +allow shell zygote_exec:file rx_file_perms; + +r_dir_file(shell, apk_data_file) + +# Set properties. +unix_socket_connect(shell, property, init) +allow shell shell_prop:property_service set; +allow shell ctl_dumpstate_prop:property_service set; +allow shell debug_prop:property_service set; +allow shell powerctl_prop:property_service set; + +# systrace support - allow atrace to run +# debugfs doesn't support labeling individual files, so we have +# to grant read access to all of /sys/kernel/debug. +# Directory read access and file write access is already granted +# in domain.te. +allow shell debugfs:file r_file_perms; + +# allow shell to run dmesg +allow shell kernel:system syslog_read; |