Confine shell domain in -user builds only.

Confine the domain for an adb shell in -user builds only.
The shell domain in non-user builds is left permissive.
init_shell (shell spawned by init, e.g.  console service)
remains unconfined by this change.
Introduce a shelldomain attribute for rules common to all shell
domains, assign it to the shell types, and add shelldomain.te for
its rules.

Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

attributes

@@ -50,6 +50,9 @@ attribute mlstrustedobject;
 # Domains that are allowed all permissions ("unconfined").
 attribute unconfineddomain;
 
+# All domains used for shells.
+attribute shelldomain;
+
 # All domains used for apps.
 attribute appdomain;
 

domain.te

@@ -39,11 +39,11 @@ allow domain init:unix_stream_socket connectto;
 # Root fs.
 allow domain rootfs:dir r_dir_perms;
 allow domain rootfs:file r_file_perms;
-allow domain rootfs:lnk_file { read getattr };
+allow domain rootfs:lnk_file r_file_perms;
 
 # Device accesses.
 allow domain device:dir search;
-allow domain dev_type:lnk_file read;
+allow domain dev_type:lnk_file r_file_perms;
 allow domain devpts:dir search;
 allow domain device:file read;
 allow domain socket_device:dir search;
@@ -69,12 +69,12 @@ allow domain fs_type:dir getattr;
 allow domain system_file:dir r_dir_perms;
 allow domain system_file:file r_file_perms;
 allow domain system_file:file execute;
-allow domain system_file:lnk_file read;
+allow domain system_file:lnk_file r_file_perms;
 
 # Read files already opened under /data.
 allow domain system_data_file:dir { search getattr };
 allow domain system_data_file:file { getattr read };
-allow domain system_data_file:lnk_file read;
+allow domain system_data_file:lnk_file r_file_perms;
 
 # Read apk files under /data/app.
 allow domain apk_data_file:dir { getattr search };
@@ -87,7 +87,7 @@ allow domain dalvikcache_data_file:file r_file_perms;
 # Read already opened /cache files.
 allow domain cache_file:dir r_dir_perms;
 allow domain cache_file:file { getattr read };
-allow domain cache_file:lnk_file read;
+allow domain cache_file:lnk_file r_file_perms;
 
 # Read timezone related information
 r_dir_file(domain, zoneinfo_data_file)
@@ -110,6 +110,9 @@ r_dir_file(domain, cgroup)
 allow domain debugfs:dir r_dir_perms;
 allow domain debugfs:file w_file_perms;
 
+# Get SELinux enforcing status.
+selinux_getenforce(domain)
+
 # security files
 allow domain security_file:dir { search getattr };
 allow domain security_file:file getattr;

init_shell.te

 # Restricted domain for shell processes spawned by init
-type init_shell, domain;
+type init_shell, domain, shelldomain;
 domain_auto_trans(init, shell_exec, init_shell)
 unconfined_domain(init_shell)
+
+# inherits from shelldomain.te

shell.te

 # Domain for shell processes spawned by ADB
-type shell, domain;
+type shell, domain, shelldomain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;
-unconfined_domain(shell)
 
 # Run app_process.
-# XXX Split into its own domain?
+# XXX Transition into its own domain?
 app_domain(shell)
 
-# shell is also permissive to permit setenforce.
+# userdebug/eng shell is also permissive to permit setenforce.
 permissive shell;
 
-# ndk-gdb invokes adb shell ps to find the app PID.
-r_dir_file(shell, non_system_app_set)
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shell app_data_file:dir search;
-
-# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
-allow shell non_system_app_set:process sigkill;
+# inherits from shelldomain.te

shell_user.te

 # Domain for shell processes spawned by ADB
-type shell, domain;
+type shell, domain, shelldomain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;
-unconfined_domain(shell)
 
 # Run app_process.
-# XXX Split into its own domain?
+# XXX Transition into its own domain?
 app_domain(shell)
 
-# ndk-gdb invokes adb shell ps to find the app PID.
-r_dir_file(shell, non_system_app_set)
-
-# ndk-gdb invokes adb shell ls to check the app data dir.
-allow shell app_data_file:dir search;
+# inherits from shelldomain.te

shelldomain.te

+# Rules for all shell domains (e.g. console service and adb shell).
+
+# Access /data/local/tmp.
+allow shelldomain shell_data_file:dir create_dir_perms;
+allow shelldomain shell_data_file:file create_file_perms;
+allow shelldomain shell_data_file:file rx_file_perms;
+
+# Access sdcard.
+allow shelldomain sdcard_type:dir rw_dir_perms;
+allow shelldomain sdcard_type:file create_file_perms;
+
+# adb bugreport
+unix_socket_connect(shelldomain, dumpstate, dumpstate)
+
+allow shelldomain rootfs:dir r_dir_perms;
+allow shelldomain devpts:chr_file rw_file_perms;
+allow shelldomain tty_device:chr_file rw_file_perms;
+allow shelldomain console_device:chr_file rw_file_perms;
+allow shelldomain input_device:chr_file rw_file_perms;
+allow shelldomain system_file:file x_file_perms;
+allow shelldomain shell_exec:file rx_file_perms;
+allow shelldomain zygote_exec:file rx_file_perms;
+
+r_dir_file(shelldomain, apk_data_file)
+allow shelldomain dalvikcache_data_file:file { write setattr };
+
+# Set properties.
+unix_socket_connect(shelldomain, property, init)
+allow shelldomain shell_prop:property_service set;
+allow shelldomain ctl_dumpstate_prop:property_service set;
+
+# ndk-gdb invokes adb shell ps to find the app PID.
+r_dir_file(shelldomain, non_system_app_set)
+
+# ndk-gdb invokes adb shell ls to check the app data dir.
+allow shelldomain app_data_file:dir search;
+
+# ps and ps -Z output for app processes.
+r_dir_file(shelldomain, appdomain)
+allow shelldomain appdomain:process getattr;