| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | typeattribute shell coredomain, mlstrustedsubject; |
| 2 | |
| 3 | # allow shell input injection |
| 4 | allow shell uhid_device:chr_file rw_file_perms; |
| 5 | |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 6 | # Perform SELinux access checks, needed for CTS |
| 7 | selinux_check_access(shell) |
| 8 | selinux_check_context(shell) |
| 9 | |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 10 | # Allow shell to run adb shell cmd stats commands. Needed for CTS. |
| 11 | binder_call(shell, statsd); |
| 12 | |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 13 | # Allow shell to launch microdroid_launcher in its own domain |
| 14 | # TODO(b/186396070) remove this when microdroid_manager can do this |
| Inseob Kim | 20e80f7 | 2021-06-25 14:12:35 +0900 | [diff] [blame] | 15 | domain_auto_trans(shell, microdroid_app_exec, microdroid_app) |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 16 | domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager) |
| 17 | |
| Inseob Kim | 4eb5660 | 2021-07-09 15:51:12 +0900 | [diff] [blame^] | 18 | # Connect to adbd and use a socket transferred from it. |
| 19 | # This is used for e.g. adb backup/restore. |
| 20 | allow shell adbd:unix_stream_socket connectto; |
| 21 | allow shell adbd:fd use; |
| 22 | allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 23 | |
| Inseob Kim | 4eb5660 | 2021-07-09 15:51:12 +0900 | [diff] [blame^] | 24 | # filesystem test for insecure chr_file's is done |
| 25 | # via a host side test |
| 26 | allow shell dev_type:dir r_dir_perms; |
| 27 | allow shell dev_type:chr_file getattr; |
| 28 | |
| 29 | # filesystem test for insucre blk_file's is done |
| 30 | # via hostside test |
| 31 | allow shell dev_type:blk_file getattr; |