2014-02-21 10:45:29 -08:00
|
|
|
# Domain for shell processes spawned by ADB or console service.
|
2014-06-11 04:10:09 -07:00
|
|
|
type shell, domain, mlstrustedsubject;
|
2013-09-27 07:38:14 -07:00
|
|
|
type shell_exec, exec_type, file_type;
|
2012-01-04 09:33:27 -08:00
|
|
|
|
2014-01-07 09:47:10 -08:00
|
|
|
# Create and use network sockets.
|
|
|
|
net_domain(shell)
|
|
|
|
|
2012-01-04 09:33:27 -08:00
|
|
|
# Run app_process.
|
2013-10-23 10:25:53 -07:00
|
|
|
# XXX Transition into its own domain?
|
2012-01-04 09:33:27 -08:00
|
|
|
app_domain(shell)
|
2013-12-02 11:18:11 -08:00
|
|
|
|
2014-03-17 13:00:38 -07:00
|
|
|
# logd access
|
|
|
|
read_logd(shell)
|
|
|
|
control_logd(shell)
|
|
|
|
|
2014-06-05 13:27:44 -07:00
|
|
|
# read files in /data/anr
|
|
|
|
allow shell anr_data_file:dir r_dir_perms;
|
|
|
|
allow shell anr_data_file:file r_file_perms;
|
|
|
|
|
2014-06-11 04:10:09 -07:00
|
|
|
# Access /data/local/tmp.
|
|
|
|
allow shell shell_data_file:dir create_dir_perms;
|
|
|
|
allow shell shell_data_file:file create_file_perms;
|
|
|
|
allow shell shell_data_file:file rx_file_perms;
|
2014-12-09 23:49:31 -08:00
|
|
|
allow shell shell_data_file:lnk_file create_file_perms;
|
2014-06-11 04:10:09 -07:00
|
|
|
|
|
|
|
# adb bugreport
|
|
|
|
unix_socket_connect(shell, dumpstate, dumpstate)
|
|
|
|
|
|
|
|
allow shell devpts:chr_file rw_file_perms;
|
|
|
|
allow shell tty_device:chr_file rw_file_perms;
|
|
|
|
allow shell console_device:chr_file rw_file_perms;
|
2014-06-11 09:09:15 -07:00
|
|
|
allow shell input_device:dir r_dir_perms;
|
2014-06-11 04:10:09 -07:00
|
|
|
allow shell input_device:chr_file rw_file_perms;
|
|
|
|
allow shell system_file:file x_file_perms;
|
|
|
|
allow shell shell_exec:file rx_file_perms;
|
|
|
|
allow shell zygote_exec:file rx_file_perms;
|
|
|
|
|
|
|
|
r_dir_file(shell, apk_data_file)
|
|
|
|
|
|
|
|
# Set properties.
|
|
|
|
unix_socket_connect(shell, property, init)
|
|
|
|
allow shell shell_prop:property_service set;
|
|
|
|
allow shell ctl_dumpstate_prop:property_service set;
|
|
|
|
allow shell debug_prop:property_service set;
|
|
|
|
allow shell powerctl_prop:property_service set;
|
|
|
|
|
2014-12-22 15:22:16 -08:00
|
|
|
allow shell system_server_service:service_manager find;
|
|
|
|
|
2014-06-11 04:10:09 -07:00
|
|
|
# systrace support - allow atrace to run
|
|
|
|
# debugfs doesn't support labeling individual files, so we have
|
|
|
|
# to grant read access to all of /sys/kernel/debug.
|
|
|
|
# Directory read access and file write access is already granted
|
|
|
|
# in domain.te.
|
|
|
|
allow shell debugfs:file r_file_perms;
|
|
|
|
|
|
|
|
# allow shell to run dmesg
|
|
|
|
allow shell kernel:system syslog_read;
|