diff options
| -rw-r--r-- | app.te | 2 | ||||
| -rw-r--r-- | attributes | 3 | ||||
| -rw-r--r-- | domain.te | 2 | ||||
| -rw-r--r-- | init_shell.te | 6 | ||||
| -rw-r--r-- | shell.te | 38 | ||||
| -rw-r--r-- | shelldomain.te | 37 |
6 files changed, 40 insertions, 48 deletions
@@ -316,7 +316,7 @@ neverallow { appdomain -unconfineddomain } # Access to syslog(2) or /proc/kmsg. neverallow { appdomain -system_app } kernel:system { syslog_mod syslog_console }; -neverallow { appdomain -system_app -shelldomain } +neverallow { appdomain -system_app -shell } kernel:system syslog_read; # Ability to perform any filesystem operation other than statfs(2). @@ -50,9 +50,6 @@ attribute mlstrustedobject; # Domains that are allowed all permissions ("unconfined"). attribute unconfineddomain; -# All domains used for shells. -attribute shelldomain; - # All domains used for apps. attribute appdomain; @@ -248,7 +248,7 @@ neverallow { domain -appdomain -dumpstate - -shelldomain + -shell userdebug_or_eng(`-su') -system_server -zygote diff --git a/init_shell.te b/init_shell.te index e1ca03a..d2e4d74 100644 --- a/init_shell.te +++ b/init_shell.te @@ -1,8 +1,6 @@ # Restricted domain for shell processes spawned by init. # Normally these are shell commands or scripts invoked via sh # from an init*.rc file. No service should ever run in this domain. -type init_shell, domain, shelldomain; +type init_shell, domain; domain_auto_trans(init, shell_exec, init_shell) -unconfined_domain(init_shell) - -# inherits from shelldomain.te +permissive_or_unconfined(init_shell) @@ -1,5 +1,5 @@ # Domain for shell processes spawned by ADB or console service. -type shell, domain, shelldomain, mlstrustedsubject; +type shell, domain, mlstrustedsubject; type shell_exec, exec_type, file_type; # Create and use network sockets. @@ -17,4 +17,38 @@ control_logd(shell) allow shell anr_data_file:dir r_dir_perms; allow shell anr_data_file:file r_file_perms; -# inherits from shelldomain.te +# Access /data/local/tmp. +allow shell shell_data_file:dir create_dir_perms; +allow shell shell_data_file:file create_file_perms; +allow shell shell_data_file:file rx_file_perms; + +# adb bugreport +unix_socket_connect(shell, dumpstate, dumpstate) + +allow shell rootfs:dir r_dir_perms; +allow shell devpts:chr_file rw_file_perms; +allow shell tty_device:chr_file rw_file_perms; +allow shell console_device:chr_file rw_file_perms; +allow shell input_device:chr_file rw_file_perms; +allow shell system_file:file x_file_perms; +allow shell shell_exec:file rx_file_perms; +allow shell zygote_exec:file rx_file_perms; + +r_dir_file(shell, apk_data_file) + +# Set properties. +unix_socket_connect(shell, property, init) +allow shell shell_prop:property_service set; +allow shell ctl_dumpstate_prop:property_service set; +allow shell debug_prop:property_service set; +allow shell powerctl_prop:property_service set; + +# systrace support - allow atrace to run +# debugfs doesn't support labeling individual files, so we have +# to grant read access to all of /sys/kernel/debug. +# Directory read access and file write access is already granted +# in domain.te. +allow shell debugfs:file r_file_perms; + +# allow shell to run dmesg +allow shell kernel:system syslog_read; diff --git a/shelldomain.te b/shelldomain.te deleted file mode 100644 index 3dd0941..0000000 --- a/shelldomain.te +++ /dev/null @@ -1,37 +0,0 @@ -# Rules for all shell domains (e.g. console service and adb shell). - -# Access /data/local/tmp. -allow shelldomain shell_data_file:dir create_dir_perms; -allow shelldomain shell_data_file:file create_file_perms; -allow shelldomain shell_data_file:file rx_file_perms; - -# adb bugreport -unix_socket_connect(shelldomain, dumpstate, dumpstate) - -allow shelldomain rootfs:dir r_dir_perms; -allow shelldomain devpts:chr_file rw_file_perms; -allow shelldomain tty_device:chr_file rw_file_perms; -allow shelldomain console_device:chr_file rw_file_perms; -allow shelldomain input_device:chr_file rw_file_perms; -allow shelldomain system_file:file x_file_perms; -allow shelldomain shell_exec:file rx_file_perms; -allow shelldomain zygote_exec:file rx_file_perms; - -r_dir_file(shelldomain, apk_data_file) - -# Set properties. -unix_socket_connect(shelldomain, property, init) -allow shelldomain shell_prop:property_service set; -allow shelldomain ctl_dumpstate_prop:property_service set; -allow shelldomain debug_prop:property_service set; -allow shelldomain powerctl_prop:property_service set; - -# systrace support - allow atrace to run -# debugfs doesn't support labeling individual files, so we have -# to grant read access to all of /sys/kernel/debug. -# Directory read access and file write access is already granted -# in domain.te. -allow shelldomain debugfs:file r_file_perms; - -# allow shell to run dmesg -allow shelldomain kernel:system syslog_read; |