microdroid/system/private/shell.te

typeattribute shell coredomain;

# Root fs.
allow shell rootfs:dir r_dir_perms;

# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;
allow shell shell_data_file:lnk_file create_file_perms;

allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;

r_dir_file(shell, system_file)
allow shell system_file:file x_file_perms;
allow shell toolbox_exec:file rx_file_perms;
allow shell shell_exec:file rx_file_perms;

# allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
r_dir_file(shell, proc_net_type)

allow shell {
  proc_asound
  proc_filesystems
  proc_interrupts
  proc_loadavg # b/124024827
  proc_meminfo
  proc_modules
  proc_pid_max
  proc_slabinfo
  proc_stat
  proc_timer
  proc_uptime
  proc_version
  proc_vmstat
  proc_zoneinfo
}:file r_file_perms;

# allow listing network interfaces under /sys/class/net.
allow shell sysfs_net:dir r_dir_perms;

r_dir_file(shell, cgroup)
allow shell cgroup_desc_file:file r_file_perms;
allow shell cgroup_desc_api_file:file r_file_perms;
r_dir_file(shell, cgroup_v2)
allow shell domain:dir { search open read getattr };
allow shell domain:{ file lnk_file } { open read getattr };

# statvfs() of /proc and other labeled filesystems
# (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay)
allow shell { proc labeledfs }:filesystem getattr;

# stat() of /dev
allow shell device:dir getattr;

# allow shell to read /proc/pid/attr/current for ps -Z
allow shell domain:process getattr;

# Allow pulling the SELinux policy for CTS purposes
allow shell selinuxfs:dir r_dir_perms;
allow shell selinuxfs:file r_file_perms;

# /dev/fd is a symlink
allow shell proc:lnk_file getattr;

# read selinux policy files
allow shell file_contexts_file:file r_file_perms;
allow shell property_contexts_file:file r_file_perms;
allow shell service_contexts_file:file r_file_perms;
allow shell sepolicy_file:file r_file_perms;

# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)

# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);

# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow shell adbd:unix_stream_socket connectto;
allow shell adbd:fd use;
allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };

# filesystem test for insecure chr_file's is done
# via a host side test
allow shell dev_type:dir r_dir_perms;
allow shell dev_type:chr_file getattr;

# filesystem test for insucre blk_file's is done
# via hostside test
allow shell dev_type:blk_file getattr;

# Test tool automatically tries to access /sys/class/power_supply.
# Suppressing it as we don't need power_supply in microdroid.
dontaudit shell sysfs:dir r_dir_perms;

# Test tool tries to read various service status properties.
get_prop(shell, boot_status_prop)
get_prop(shell, init_service_status_prop)
get_prop(shell, init_service_status_private_prop)

set_prop(shell, log_tag_prop)