Allow "adb shell tradeinmode" on user builds.
We initially wanted "adb shell tradeinmode" to work on userdebug/eng for
CI testing. But, we need xTS tests as well. These run in a special
ro.debuggable user build, so we need to adjust our sepolicy.
As a result of this change, the trade-in mode binary now checks
ro.debuggable to forbid unintended use. That CL is ag/30497218.
Bug: 379970773
Test: adb shell tradeinmode on cf-user
Change-Id: If23f4dc02be32a3aa9db2cf1848b499bfc3f71d6
diff --git a/private/shell.te b/private/shell.te
index 70f296e..0609f94 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -42,10 +42,8 @@
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
-# Allow shell to execute tradeinmode on userdebug builds, for testing.
-userdebug_or_eng(`
- domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
-')
+# Allow shell to execute tradeinmode for testing.
+domain_auto_trans(shell, tradeinmode_exec, tradeinmode)
# Allow shell binaries to exec the perfetto cmdline util and have that
# transition into its own domain, so that it behaves consistently to
diff --git a/private/tradeinmode.te b/private/tradeinmode.te
index 821faf4..febe35f 100644
--- a/private/tradeinmode.te
+++ b/private/tradeinmode.te
@@ -6,11 +6,9 @@
allow tradeinmode adbd_tradeinmode:fd use;
allow tradeinmode adbd_tradeinmode:unix_stream_socket { read write ioctl };
-# Allow running from normal shell on userdebug/eng.
-userdebug_or_eng(`
- allow tradeinmode { adbd shell }:fd use;
- allow tradeinmode adbd:unix_stream_socket { read write ioctl };
-')
+# Allow running from normal shell.
+allow tradeinmode { adbd shell }:fd use;
+allow tradeinmode adbd:unix_stream_socket { read write ioctl };
allow tradeinmode devpts:chr_file rw_file_perms;