Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 7bde36e94eecdcb4f4788a0b657f71c838d007c9 / . / microdroid / system / private / shell.te
blob: c93b488adbee53337b1c6c6f9ec1f7bfa7d5cd72 [file] [log] [blame]
Alan Stokes7bde36e2022-03-09 16:41:06 +0000[diff] [blame^]1typeattribute shell coredomain;
Inseob Kime1389972021-07-19 07:48:34 +0000[diff] [blame]2
3# allow shell input injection
4allow shell uhid_device:chr_file rw_file_perms;
5
6# Perform SELinux access checks, needed for CTS
7selinux_check_access(shell)
8selinux_check_context(shell)
9
10# Allow shell to run adb shell cmd stats commands. Needed for CTS.
11binder_call(shell, statsd);
12
13# Allow shell to launch microdroid_launcher in its own domain
14# TODO(b/186396070) remove this when microdroid_manager can do this
15domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
16domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
17
18# Connect to adbd and use a socket transferred from it.
19# This is used for e.g. adb backup/restore.
20allow shell adbd:unix_stream_socket connectto;
21allow shell adbd:fd use;
22allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
23
24# filesystem test for insecure chr_file's is done
25# via a host side test
26allow shell dev_type:dir r_dir_perms;
27allow shell dev_type:chr_file getattr;
28
29# filesystem test for insucre blk_file's is done
30# via hostside test
31allow shell dev_type:blk_file getattr;
Inseob Kim76876002021-08-05 02:05:16 +0000[diff] [blame]32
33# Test tool automatically tries to access /sys/class/power_supply.
34# Suppressing it as we don't need power_supply in microdroid.
35dontaudit shell sysfs:dir r_dir_perms;
Inseob Kim5ee61a72021-09-17 19:31:45 +0900[diff] [blame]36
37# Test tool tries to read various service status properties.
38get_prop(shell, init_service_status_prop)
39get_prop(shell, init_service_status_private_prop)
40
41set_prop(shell, log_tag_prop)