Move microdroid sepolicy to system/sepolicy
Bug: 190511750
Test: boot microdroid
Change-Id: I4aa4a56e9be5103d70469c3508110a973f3e4f12
diff --git a/microdroid/system/private/shell.te b/microdroid/system/private/shell.te
new file mode 100644
index 0000000..fc51ad8
--- /dev/null
+++ b/microdroid/system/private/shell.te
@@ -0,0 +1,31 @@
+typeattribute shell coredomain, mlstrustedsubject;
+
+# allow shell input injection
+allow shell uhid_device:chr_file rw_file_perms;
+
+# Perform SELinux access checks, needed for CTS
+selinux_check_access(shell)
+selinux_check_context(shell)
+
+# Allow shell to run adb shell cmd stats commands. Needed for CTS.
+binder_call(shell, statsd);
+
+# Allow shell to launch microdroid_launcher in its own domain
+# TODO(b/186396070) remove this when microdroid_manager can do this
+domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
+domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
+
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow shell adbd:unix_stream_socket connectto;
+allow shell adbd:fd use;
+allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
+# filesystem test for insecure chr_file's is done
+# via a host side test
+allow shell dev_type:dir r_dir_perms;
+allow shell dev_type:chr_file getattr;
+
+# filesystem test for insucre blk_file's is done
+# via hostside test
+allow shell dev_type:blk_file getattr;