From 1a703fedc7e01ad383a1839eab74f78148ac1209 Mon Sep 17 00:00:00 2001 From: Max Bires Date: Wed, 24 Jan 2018 21:17:18 +0000 Subject: [PATCH] Revert "Revert "Ensure only com.android.shell can run in the shell domain."" This reverts commit bf0c2a59f804af514a4488070453e8c49e095380. Bug:68126425 Test: No apps affected by not being able to run in shell domain Change-Id: I8b93eecd023fbb392a98253d721dad75f79b61f4 Merged-In: I8b93eecd023fbb392a98253d721dad75f79b61f4 --- private/seapp_contexts | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/private/seapp_contexts b/private/seapp_contexts index 0333d996c..8db46f065 100644 --- a/private/seapp_contexts +++ b/private/seapp_contexts @@ -91,6 +91,10 @@ neverallow user=((?!_isolated).)* domain=isolated_app # uid's can be in shell domain neverallow user=shell domain=((?!shell).)* +# only the package named com.android.shell can run in the shell domain +neverallow domain=shell name=((?!com\.android\.shell).)* +neverallow user=shell name=((?!com\.android\.shell).)* + # Ephemeral Apps must run in the ephemeral_app domain neverallow isEphemeralApp=true domain=((?!ephemeral_app).)* @@ -102,7 +106,7 @@ user=nfc seinfo=platform domain=nfc type=nfc_data_file user=secure_element seinfo=platform domain=secure_element levelFrom=all user=radio seinfo=platform domain=radio type=radio_data_file user=shared_relro domain=shared_relro -user=shell seinfo=platform domain=shell type=shell_data_file +user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file user=_isolated domain=isolated_app levelFrom=user user=webview_zygote seinfo=webview_zygote domain=webview_zygote user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user