Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 13d5886363675915e5115ccc0a95ca5d7776730b / . / shelldomain.te
blob: 3dd0941f4bd580ba1f059bf0656d756ddb57b3bf [file] [log] [blame]
Stephen Smalley712ca0a2013-10-23 13:25:53 -0400[diff] [blame]1# Rules for all shell domains (e.g. console service and adb shell).
2
3# Access /data/local/tmp.
4allow shelldomain shell_data_file:dir create_dir_perms;
5allow shelldomain shell_data_file:file create_file_perms;
6allow shelldomain shell_data_file:file rx_file_perms;
7
Stephen Smalley712ca0a2013-10-23 13:25:53 -0400[diff] [blame]8# adb bugreport
9unix_socket_connect(shelldomain, dumpstate, dumpstate)
10
11allow shelldomain rootfs:dir r_dir_perms;
12allow shelldomain devpts:chr_file rw_file_perms;
13allow shelldomain tty_device:chr_file rw_file_perms;
14allow shelldomain console_device:chr_file rw_file_perms;
15allow shelldomain input_device:chr_file rw_file_perms;
16allow shelldomain system_file:file x_file_perms;
17allow shelldomain shell_exec:file rx_file_perms;
18allow shelldomain zygote_exec:file rx_file_perms;
19
20r_dir_file(shelldomain, apk_data_file)
Stephen Smalley712ca0a2013-10-23 13:25:53 -0400[diff] [blame]21
22# Set properties.
23unix_socket_connect(shelldomain, property, init)
24allow shelldomain shell_prop:property_service set;
25allow shelldomain ctl_dumpstate_prop:property_service set;
Nick Kralevich20a791a2013-12-19 21:55:12 -0800[diff] [blame]26allow shelldomain debug_prop:property_service set;
27allow shelldomain powerctl_prop:property_service set;
Nick Kralevich0e06c132014-04-30 11:35:02 -0700[diff] [blame]28
29# systrace support - allow atrace to run
30# debugfs doesn't support labeling individual files, so we have
31# to grant read access to all of /sys/kernel/debug.
32# Directory read access and file write access is already granted
33# in domain.te.
34allow shelldomain debugfs:file r_file_perms;
Nick Kralevichf821b5a2014-05-27 16:49:59 -0700[diff] [blame]35
36# allow shell to run dmesg
37allow shelldomain kernel:system syslog_read;