Merge "Clarify init_shell, shell, and su domain usage."
diff --git a/init_shell.te b/init_shell.te
index 8ff5c48..e1ca03a 100644
--- a/init_shell.te
+++ b/init_shell.te
@@ -1,4 +1,6 @@
-# Restricted domain for shell processes spawned by init
+# Restricted domain for shell processes spawned by init.
+# Normally these are shell commands or scripts invoked via sh
+# from an init*.rc file. No service should ever run in this domain.
type init_shell, domain, shelldomain;
domain_auto_trans(init, shell_exec, init_shell)
unconfined_domain(init_shell)
diff --git a/shell.te b/shell.te
index ad30802..b5f0377 100644
--- a/shell.te
+++ b/shell.te
@@ -1,4 +1,4 @@
-# Domain for shell processes spawned by ADB
+# Domain for shell processes spawned by ADB or console service.
type shell, domain, shelldomain, mlstrustedsubject;
type shell_exec, exec_type, file_type;
diff --git a/su.te b/su.te
index 1317fb2..5ba5776 100644
--- a/su.te
+++ b/su.te
@@ -2,6 +2,9 @@
type su_exec, exec_type, file_type;
userdebug_or_eng(`
+ # Domain used for su processes, as well as for adbd and adb shell
+ # after performing an adb root command. The domain definition is
+ # wrapped to ensure that it does not exist at all on -user builds.
type su, domain;
domain_auto_trans(shell, su_exec, su)