Allow shell to create shell_[test_]_data_file sockets.
This makes it easier to write some tests without requiring root for
creating a temporary socket.
Test: m
Test: atest perfetto_integrationtests with https://r.android.com/1575345
passed with this CL
failed without with
avc: denied { create } for name="traced_consumer"
scontext=u:r:shell:s0 tcontext=u:object_r:shell_data_file:s0
tclass=sock_file permissive=0
Change-Id: I281778259a55973cda9d6e7af6dea5637591502cdiff --git a/public/domain.te b/public/domain.te
index 62e9ea1..aaac8f0 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -480,6 +480,7 @@
neverallow { domain -shell -init -adbd } shell_test_data_file:dir no_w_dir_perms;
neverallow { domain -shell -init -adbd -heapprofd } shell_test_data_file:file *;
neverallow heapprofd shell_test_data_file:file { no_w_file_perms no_x_file_perms };
+neverallow { domain -shell -init -adbd } shell_test_data_file:sock_file *;
# Only the init property service should write to /data/property and /dev/__properties__
neverallow { domain -init } property_data_file:dir no_w_dir_perms;
diff --git a/public/shell.te b/public/shell.te
index 1e73e49..c8aa9e9 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -30,6 +30,7 @@
allow shell shell_test_data_file:file create_file_perms;
allow shell shell_test_data_file:file rx_file_perms;
allow shell shell_test_data_file:lnk_file create_file_perms;
+allow shell shell_test_data_file:sock_file create_file_perms;
# Read and delete from /data/local/traces.
allow shell trace_data_file:file { r_file_perms unlink };