diff options
-rw-r--r-- | attributes | 3 | ||||
-rw-r--r-- | domain.te | 13 | ||||
-rw-r--r-- | init_shell.te | 4 | ||||
-rw-r--r-- | shell.te | 16 | ||||
-rw-r--r-- | shell_user.te | 11 | ||||
-rw-r--r-- | shelldomain.te | 40 |
6 files changed, 61 insertions, 26 deletions
@@ -50,6 +50,9 @@ attribute mlstrustedobject; # Domains that are allowed all permissions ("unconfined"). attribute unconfineddomain; +# All domains used for shells. +attribute shelldomain; + # All domains used for apps. attribute appdomain; @@ -39,11 +39,11 @@ allow domain init:unix_stream_socket connectto; # Root fs. allow domain rootfs:dir r_dir_perms; allow domain rootfs:file r_file_perms; -allow domain rootfs:lnk_file { read getattr }; +allow domain rootfs:lnk_file r_file_perms; # Device accesses. allow domain device:dir search; -allow domain dev_type:lnk_file read; +allow domain dev_type:lnk_file r_file_perms; allow domain devpts:dir search; allow domain device:file read; allow domain socket_device:dir search; @@ -69,12 +69,12 @@ allow domain fs_type:dir getattr; allow domain system_file:dir r_dir_perms; allow domain system_file:file r_file_perms; allow domain system_file:file execute; -allow domain system_file:lnk_file read; +allow domain system_file:lnk_file r_file_perms; # Read files already opened under /data. allow domain system_data_file:dir { search getattr }; allow domain system_data_file:file { getattr read }; -allow domain system_data_file:lnk_file read; +allow domain system_data_file:lnk_file r_file_perms; # Read apk files under /data/app. allow domain apk_data_file:dir { getattr search }; @@ -87,7 +87,7 @@ allow domain dalvikcache_data_file:file r_file_perms; # Read already opened /cache files. allow domain cache_file:dir r_dir_perms; allow domain cache_file:file { getattr read }; -allow domain cache_file:lnk_file read; +allow domain cache_file:lnk_file r_file_perms; # Read timezone related information r_dir_file(domain, zoneinfo_data_file) @@ -110,6 +110,9 @@ r_dir_file(domain, cgroup) allow domain debugfs:dir r_dir_perms; allow domain debugfs:file w_file_perms; +# Get SELinux enforcing status. +selinux_getenforce(domain) + # security files allow domain security_file:dir { search getattr }; allow domain security_file:file getattr; diff --git a/init_shell.te b/init_shell.te index 696a6dc..8ff5c48 100644 --- a/init_shell.te +++ b/init_shell.te @@ -1,4 +1,6 @@ # Restricted domain for shell processes spawned by init -type init_shell, domain; +type init_shell, domain, shelldomain; domain_auto_trans(init, shell_exec, init_shell) unconfined_domain(init_shell) + +# inherits from shelldomain.te @@ -1,20 +1,12 @@ # Domain for shell processes spawned by ADB -type shell, domain; +type shell, domain, shelldomain, mlstrustedsubject; type shell_exec, exec_type, file_type; -unconfined_domain(shell) # Run app_process. -# XXX Split into its own domain? +# XXX Transition into its own domain? app_domain(shell) -# shell is also permissive to permit setenforce. +# userdebug/eng shell is also permissive to permit setenforce. permissive shell; -# ndk-gdb invokes adb shell ps to find the app PID. -r_dir_file(shell, non_system_app_set) - -# ndk-gdb invokes adb shell ls to check the app data dir. -allow shell app_data_file:dir search; - -# ndk-gdb invokes adb shell kill -9 to kill the gdbserver. -allow shell non_system_app_set:process sigkill; +# inherits from shelldomain.te diff --git a/shell_user.te b/shell_user.te index 1eccbd6..27a5cd0 100644 --- a/shell_user.te +++ b/shell_user.te @@ -1,14 +1,9 @@ # Domain for shell processes spawned by ADB -type shell, domain; +type shell, domain, shelldomain, mlstrustedsubject; type shell_exec, exec_type, file_type; -unconfined_domain(shell) # Run app_process. -# XXX Split into its own domain? +# XXX Transition into its own domain? app_domain(shell) -# ndk-gdb invokes adb shell ps to find the app PID. -r_dir_file(shell, non_system_app_set) - -# ndk-gdb invokes adb shell ls to check the app data dir. -allow shell app_data_file:dir search; +# inherits from shelldomain.te diff --git a/shelldomain.te b/shelldomain.te new file mode 100644 index 0000000..408e9da --- /dev/null +++ b/shelldomain.te @@ -0,0 +1,40 @@ +# Rules for all shell domains (e.g. console service and adb shell). + +# Access /data/local/tmp. +allow shelldomain shell_data_file:dir create_dir_perms; +allow shelldomain shell_data_file:file create_file_perms; +allow shelldomain shell_data_file:file rx_file_perms; + +# Access sdcard. +allow shelldomain sdcard_type:dir rw_dir_perms; +allow shelldomain sdcard_type:file create_file_perms; + +# adb bugreport +unix_socket_connect(shelldomain, dumpstate, dumpstate) + +allow shelldomain rootfs:dir r_dir_perms; +allow shelldomain devpts:chr_file rw_file_perms; +allow shelldomain tty_device:chr_file rw_file_perms; +allow shelldomain console_device:chr_file rw_file_perms; +allow shelldomain input_device:chr_file rw_file_perms; +allow shelldomain system_file:file x_file_perms; +allow shelldomain shell_exec:file rx_file_perms; +allow shelldomain zygote_exec:file rx_file_perms; + +r_dir_file(shelldomain, apk_data_file) +allow shelldomain dalvikcache_data_file:file { write setattr }; + +# Set properties. +unix_socket_connect(shelldomain, property, init) +allow shelldomain shell_prop:property_service set; +allow shelldomain ctl_dumpstate_prop:property_service set; + +# ndk-gdb invokes adb shell ps to find the app PID. +r_dir_file(shelldomain, non_system_app_set) + +# ndk-gdb invokes adb shell ls to check the app data dir. +allow shelldomain app_data_file:dir search; + +# ps and ps -Z output for app processes. +r_dir_file(shelldomain, appdomain) +allow shelldomain appdomain:process getattr; |