| Inseob Kim | e138997 | 2021-07-19 07:48:34 +0000 | [diff] [blame] | 1 | typeattribute shell coredomain, mlstrustedsubject; |
| 2 | |
| 3 | # allow shell input injection |
| 4 | allow shell uhid_device:chr_file rw_file_perms; |
| 5 | |
| 6 | # Perform SELinux access checks, needed for CTS |
| 7 | selinux_check_access(shell) |
| 8 | selinux_check_context(shell) |
| 9 | |
| 10 | # Allow shell to run adb shell cmd stats commands. Needed for CTS. |
| 11 | binder_call(shell, statsd); |
| 12 | |
| 13 | # Allow shell to launch microdroid_launcher in its own domain |
| 14 | # TODO(b/186396070) remove this when microdroid_manager can do this |
| 15 | domain_auto_trans(shell, microdroid_app_exec, microdroid_app) |
| 16 | domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager) |
| 17 | |
| 18 | # Connect to adbd and use a socket transferred from it. |
| 19 | # This is used for e.g. adb backup/restore. |
| 20 | allow shell adbd:unix_stream_socket connectto; |
| 21 | allow shell adbd:fd use; |
| 22 | allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; |
| 23 | |
| 24 | # filesystem test for insecure chr_file's is done |
| 25 | # via a host side test |
| 26 | allow shell dev_type:dir r_dir_perms; |
| 27 | allow shell dev_type:chr_file getattr; |
| 28 | |
| 29 | # filesystem test for insucre blk_file's is done |
| 30 | # via hostside test |
| 31 | allow shell dev_type:blk_file getattr; |
| Inseob Kim | 7687600 | 2021-08-05 02:05:16 +0000 | [diff] [blame] | 32 | |
| 33 | # Test tool automatically tries to access /sys/class/power_supply. |
| 34 | # Suppressing it as we don't need power_supply in microdroid. |
| 35 | dontaudit shell sysfs:dir r_dir_perms; |
| Inseob Kim | 5ee61a7 | 2021-09-17 19:31:45 +0900 | [diff] [blame] | 36 | |
| 37 | # Test tool tries to read various service status properties. |
| 38 | get_prop(shell, init_service_status_prop) |
| 39 | get_prop(shell, init_service_status_private_prop) |
| 40 | |
| 41 | set_prop(shell, log_tag_prop) |