aboutsummaryrefslogtreecommitdiffstats
path: root/shell.te
Commit message (Collapse)AuthorAgeFilesLines
* neverallow shell file_type:file linkNick Kralevich2015-04-161-0/+8
| | | | Change-Id: I77ce4331d70edebcecc753b2e67ffab1de3ae98e
* SELinux permissions for gatekeeper TEE proxyAndres Morales2015-04-061-1/+2
| | | | | | | | | | sets up: - execute permissions - binder permission (system_server->gatekeeper->keystore) - prevents dumpstate and shell from finding GK binder service - neverallow rules for prohibited clients Change-Id: I1817933a91de625db469a20c7a4c8e2ca46efa1e
* Consistent external storage policy.Jeff Sharkey2015-04-021-3/+0
| | | | | | | | Apps, shell and adbd should all have identical access to external storage. Also document where we have files and/or symlinks. Bug: 20055945 Change-Id: I133ffcf28cc3ccdb0541aba18ea3b9ba676eddbe
* Fix small copy/paste bug in recent shell rule.Jeff Sharkey2015-03-301-1/+1
| | | | Change-Id: Ia279dfd11cc093e066bff66d7397dfe9e906aba8
* Shell needs to read /storage/self/primary symlink.Jeff Sharkey2015-03-301-0/+3
| | | | | | avc: denied { read } for name="primary" dev="tmpfs" ino=3134 scontext=u:r:shell:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file Change-Id: Id0ed2297a89054199fc73f27b18f717ae19c6778
* Allow shell to read /proc/pid/attr/current for ps -Z.Stephen Smalley2015-03-161-0/+3
| | | | | | | | Needed since Iff1e601e1268d4d77f64788d733789a2d2cd18cc removed it from appdomain. Change-Id: I9fc08b525b9868f0fb703b99b0c0c17ca8b656f9 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Record observed system_server servicemanager service requests.dcashman2015-03-031-0/+1
| | | | | | | | | | | Also formally allow dumpstate access to all services and grant system_server access to address the following non-system_server_service entries: avc: granted { find } for service=drm.drmManager scontext=u:r:system_server:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager avc: granted { find } for service=nfc scontext=u:r:system_server:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager Bug: 18106000 Change-Id: Iad16b36acf44bce52c4824f8b53c0e7731c25602
* bootchart: add policy rules for bootchartYongqin Liu2015-02-241-0/+6
| | | | | | | | | allow the bootchart to create dir and files at init, also allow user to create the stop and start file under /data/bootchart directory to start and stop bootchart Change-Id: Icfee8dcd17366383eef00fbe3139744bf4427a6b Signed-off-by: Yongqin Liu <yongqin.liu@linaro.org>
* Allow shell to find all services.dcashman2015-01-231-4/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | dumpsys from shell results in many denials: 11-08 02:52:13.087 171 171 E SELinux : avc: denied { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.089 171 171 E SELinux : avc: denied { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager 11-08 02:52:13.093 171 171 E SELinux : avc: denied { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager 11-08 02:52:13.103 171 171 E SELinux : avc: denied { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.104 171 171 E SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.113 171 171 E SELinux : avc: denied { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.114 171 171 E SELinux : avc: denied { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.114 171 171 E SELinux : avc: denied { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.118 171 171 E SELinux : avc: denied { find } for service=nfc scontext=u:r:shell:s0 tcontext=u:object_r:nfc_service:s0 tclass=service_manager 11-08 02:52:13.130 171 171 E SELinux : avc: denied { find } for service=SurfaceFlinger scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.379 171 171 E SELinux : avc: denied { find } for service=android.security.keystore scontext=u:r:shell:s0 tcontext=u:object_r:keystore_service:s0 tclass=service_manager 11-08 02:52:13.388 171 171 E SELinux : avc: denied { find } for service=batteryproperties scontext=u:r:shell:s0 tcontext=u:object_r:healthd_service:s0 tclass=service_manager 11-08 02:52:13.574 171 171 E SELinux : avc: denied { find } for service=display.qservice scontext=u:r:shell:s0 tcontext=u:object_r:surfaceflinger_service:s0 tclass=service_manager 11-08 02:52:13.576 171 171 E SELinux : avc: denied { find } for service=drm.drmManager scontext=u:r:shell:s0 tcontext=u:object_r:drmserver_service:s0 tclass=service_manager 11-08 02:52:13.712 171 171 E SELinux : avc: denied { find } for service=media.audio_flinger scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.712 171 171 E SELinux : avc: denied { find } for service=media.audio_policy scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.camera scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.player scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager 11-08 02:52:13.713 171 171 E SELinux : avc: denied { find } for service=media.sound_trigger_hw scontext=u:r:shell:s0 tcontext=u:object_r:mediaserver_service:s0 tclass=service_manager Bug: 18799966 Change-Id: Id2bf69230338ac9dd45dc5d70f419fa41056e4fc
* Allow shell to read /proc.dcashman2015-01-161-0/+4
| | | | | | | | | | Grant shell read access to /proc taken away by commit: 0d3f7ddc70572382edec58841b3d6262abf49f49 Addresses the following denials encountered when running ps or top. Bug: 18799966 Change-Id: If764adeade562d884c3d710f1cd1cb34011efe89
* Make system_server_service an attribute.dcashman2015-01-141-0/+1
| | | | | | | | Temporarily give every system_server_service its own domain in preparation for splitting it and identifying special services or classes of services. Change-Id: I81ffbdbf5eea05e0146fd7fd245f01639b1ae0ef
* selinux: add pstoreMark Salyzyn2015-01-141-1/+4
| | | | | | | | Used to record the Android log messages, then on reboot provide a means to triage user-space actitivies leading up to a panic. A companion to the pstore console logs. Change-Id: I9b94ee3d5e94e0c4590ba8453b4ac1ebdfc7603f
* Allow dumpstate and shell to list services.dcashman2014-12-301-0/+3
| | | | | | | | | Addresses the following denials: avc: denied { list } for service=NULL scontext=u:r:shell:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager avc: denied { list } for service=NULL scontext=u:r:dumpstate:s0 tcontext=u:r:servicemanager:s0 tclass=service_manager Bug: 18864737 Change-Id: I72bd2cd9663f1df9410c2139411038fa997bf1b4
* Allow shell domain to use system_server_service.dcashman2014-12-221-0/+2
| | | | | | | | | | Shell domain needs to be able to access system_server_services, e.g. when running the pm command. Addresses the following denials: 10-07 00:59:26.901 178 178 E SELinux : avc: denied { find } for service=user scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager 10-07 00:59:26.903 178 178 E SELinux : avc: denied { find } for service=package scontext=u:r:shell:s0 tcontext=u:object_r:system_server_service:s0 tclass=service_manager Change-Id: I4cc2f31809a2615ba781e2ecfe2ca7d6f5226b73
* add permissions for adb shell to create symlinks in /data/local/tmpBrian Carlstrom2014-12-101-0/+1
| | | | | Bug: 18485243 Change-Id: Ic17baa0767ee1f1a27a3338558b86482ca92765e
* Eliminate some duplicated rules.Stephen Smalley2014-06-171-1/+0
| | | | | | | | | | | | | As reported by sepolicy-analyze -D -P /path/to/sepolicy. No semantic difference reported by sediff between the policy before and after this change. Deduplication of selinuxfs read access resolved by taking the common rules to domain.te (and thereby getting rid of the selinux_getenforce macro altogether). Change-Id: I4de2f86fe2efe11a167e8a7d25dd799cefe482e5 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Allow shell to read/search /dev/input directory.Stephen Smalley2014-06-121-0/+1
| | | | | | | | Resolves denials such as: avc: denied { read } for pid=16758 comm="getevent" name="input" dev="tmpfs" ino=6018 scontext=u:r:shell:s0 tcontext=u:object_r:input_device:s0 tclass=dir Change-Id: I709bd20a03a5271382b191393d55a34b0b8e4e0c Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Refactor the shell domains.Stephen Smalley2014-06-111-2/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | Originally we used the shell domain for ADB shell only and the init_shell domain for the console service, both transitioned via automatic domain transitions on sh. So they originally shared a common set of rules. Then init_shell started to be used for sh commands invoked by init.<board>.rc files, and we switched the console service to just use the shell domain via seclabel entry in init.rc. Even most of the sh command instances in init.<board>.rc files have been converted to use explicit seclabel options with more specific domains (one lingering use is touch_fw_update service in init.grouper.rc). The primary purpose of init_shell at this point is just to shed certain permissions from the init domain when init invokes a shell command. And init_shell and shell are quite different in their permission requirements since the former is used now for uid-0 processes spawned by init whereas the latter is used for uid-shell processes spawned by adb or init. Given these differences, drop the shelldomain attribute and take those rules directly into shell.te. init_shell was an unconfined_domain(), so it loses nothing from this change. Also switch init_shell to permissive_or_unconfined() so that we can see its actual denials in the future in userdebug/eng builds. Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Allow adbd / shell /data/anr accessNick Kralevich2014-06-051-0/+4
| | | | | | | | | | | | | | | | | | The shell user needs to be able to run commands like "cat /data/anr/traces.txt". Allow it. We also need to be able to pull the file via adb. "adb pull /data/anr/traces.txt". Allow it. Addresses the following denials: <4>[ 20.212398] type=1400 audit(1402000262.433:11): avc: denied { getattr } for pid=1479 comm="adbd" path="/data/anr/traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 20.252182] type=1400 audit(1402000262.473:12): avc: denied { read } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 20.252579] type=1400 audit(1402000262.473:13): avc: denied { open } for pid=1479 comm="adbd" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:adbd:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file <4>[ 27.104068] type=1400 audit(1402000268.479:14): avc: denied { read } for pid=2377 comm="sh" name="traces.txt" dev="mmcblk0p28" ino=325763 scontext=u:r:shell:s0 tcontext=u:object_r:anr_data_file:s0 tclass=file Bug: 15450720 Change-Id: I767102a7182895112838559b0ade1cd7c14459ab
* shell: access to clear logsMark Salyzyn2014-03-171-0/+4
| | | | | | Bug: 13464830 Change-Id: Ib0a627e6d5c0114d269bb3bf8dc29a945768081d
* Clarify init_shell, shell, and su domain usage.Stephen Smalley2014-02-211-1/+1
| | | | | | | | | | | | | | | | | | init_shell domain is now only used for shell commands or scripts invoked by init*.rc files, never for an interactive shell. It was being used for console service for a while but console service is now assigned shell domain via seclabel in init.rc. We may want to reconsider the shelldomain rules for init_shell and whether they are still appropriate. shell domain is now used by both adb shell and console service, both of which also run in the shell UID. su domain is now used not only for /system/bin/su but also for adbd and its descendants after an adb root is performed. Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Move shell into enforcing for everyone.Nick Kralevich2014-01-241-5/+0
| | | | Change-Id: Id1eb5f7524181aaa17d0ce26219167a5b05cfd4f
* Create new conditional userdebug_or_engNick Kralevich2014-01-091-2/+4
| | | | | | | | | | | Create a new m4 macro called userdebug_or_eng. Arguments passed to this macro are only emitted if we're performing a userdebug or eng build. Merge shell.te and shell_user.te and eliminate duplicate lines. Same for su.te and su_user.te Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0
* Remove ping domain.Stephen Smalley2014-01-071-0/+3
| | | | | | | | | | | ping in Android no longer requires any additional privileges beyond the caller. Drop the ping domain and executable file type entirely. Also add net_domain() to shell domain so that it can create and use network sockets. Change-Id: If51734abe572aecf8f510f1a55782159222e5a67 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Confine shell domain in -user builds only.Stephen Smalley2013-12-181-12/+4
| | | | | | | | | | | | | Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Support run-as and ndk-gdb functionality.Stephen Smalley2013-12-091-0/+9
| | | | | | | | | Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Restrict the ability to set SELinux enforcing mode to init.Stephen Smalley2013-12-021-0/+3
| | | | | | | | Also make su and shell permissive in non-user builds to allow use of setenforce without violating the neverallow rule. Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Make sure exec_type is assigned to all entrypoint types.Stephen Smalley2013-09-271-1/+1
| | | | | | | | | Some file types used as domain entrypoints were missing the exec_type attribute. Add it and add a neverallow rule to keep it that way. Change-Id: I7563f3e03940a27ae40ed4d6bb74181c26148849 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Make all domains unconfined.repo sync2013-05-201-28/+2
| | | | | | | | This prevents denials from being generated by the base policy. Over time, these rules will be incrementally tightened to improve security. Change-Id: I4be1c987a5d69ac784a56d42fc2c9063c402de11
* SELinux policy that separates "init_shell" from "shell".Alex Klyubin2013-05-061-1/+1
| | | | | | "init_shell" is used for shell processes spawned by init. Change-Id: I9e35d485bac91f3d0e4f3704acdbb9af7d617173
* Allow all domains to read the log devices.Stephen Smalley2013-04-051-3/+0
| | | | | | | | Read access to /dev/log/* is no longer restricted. Filtering on reads is performed per-uid by the kernel logger driver. Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Revert "Revert "Various minor policy fixes based on CTS.""Geremy Condra2013-03-271-1/+2
| | | | | | | | This reverts commit ba84bf1dec64d745b6efc516799b2c722a672cd9 Hidden dependency resolved. Change-Id: I9f0844f643abfda8405db2c722a36c847882c392
* Revert "Various minor policy fixes based on CTS."Geremy Condra2013-03-221-2/+1
| | | | | | This reverts commit 8a814a7604afd20f12c9ff3dcdae7d10e9b75f84 Change-Id: Id1497cc42d07ee7ff2ca44ae4042fc9f2efc9aad
* Various minor policy fixes based on CTS.Stephen Smalley2013-03-221-1/+2
| | | | | Change-Id: I5a3584b6cc5eda2b7d82e85452f9fe457877f1d1 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Split internal and external sdcardsWilliam Roberts2013-03-221-2/+2
| | | | | | | | | | | | | | | Two new types are introduced: sdcard_internal sdcard_external The existing type of sdcard, is dropped and a new attribute sdcard_type is introduced. The boolean app_sdcard_rw has also been changed to allow for controlling untrusted_app domain to use the internal and external sdcards. Change-Id: Ic7252a8e1703a43cb496413809d01cc6cacba8f5
* Drop shell from having access to dmesgWilliam Roberts2013-03-191-6/+0
| | | | | | | In normal, user builds, shell doesn't have the required DAC permissions to acess the kernel log. Change-Id: I001e6d65f508e07671bdb71ca2c0e1d53bc5b970
* Add policy for run-as program.Stephen Smalley2012-11-271-1/+1
| | | | | | | | | | Add policy for run-as program and label it in file_contexts. Drop MLS constraints on local socket checks other than create/relabel as this interferes with connections with services, in particular for adb forward. Change-Id: Ib0c4abeb7cbef559e150a620c45a7c31e0531114 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
* Allow shell to connect to property serviceWilliam Roberts2012-11-271-1/+1
| | | | Change-Id: I06ea2b400cc826c684b6ad25e12b021c2667b48a
* Add policy for property service.Stephen Smalley2012-04-041-0/+9
| | | | | | | New property_contexts file for property selabel backend. New property.te file with property type declarations. New property_service security class and set permission. Allow rules for setting properties.
* Allow the shell to create files on the sdcard.Stephen Smalley2012-03-081-1/+1
|
* Drop redundant rules.Stephen Smalley2012-03-071-2/+0
|
* Policy changes to support running the latest CTS.Stephen Smalley2012-03-071-3/+4
|
* Allow reading of properties area, which is now created before init has ↵Stephen Smalley2012-01-121-0/+4
| | | | switched contexts. Revisit this later - we should explicitly label the properties file.
* SE Android policy.Stephen Smalley2012-01-041-0/+30
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-23 16:20:17 +0000