| Inseob Kim | e138997 | 2021-07-19 07:48:34 +0000 | [diff] [blame^] | 1 | typeattribute shell coredomain, mlstrustedsubject; |
| 2 | |
| 3 | # allow shell input injection |
| 4 | allow shell uhid_device:chr_file rw_file_perms; |
| 5 | |
| 6 | # Perform SELinux access checks, needed for CTS |
| 7 | selinux_check_access(shell) |
| 8 | selinux_check_context(shell) |
| 9 | |
| 10 | # Allow shell to run adb shell cmd stats commands. Needed for CTS. |
| 11 | binder_call(shell, statsd); |
| 12 | |
| 13 | # Allow shell to launch microdroid_launcher in its own domain |
| 14 | # TODO(b/186396070) remove this when microdroid_manager can do this |
| 15 | domain_auto_trans(shell, microdroid_app_exec, microdroid_app) |
| 16 | domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager) |
| 17 | |
| 18 | # Connect to adbd and use a socket transferred from it. |
| 19 | # This is used for e.g. adb backup/restore. |
| 20 | allow shell adbd:unix_stream_socket connectto; |
| 21 | allow shell adbd:fd use; |
| 22 | allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; |
| 23 | |
| 24 | # filesystem test for insecure chr_file's is done |
| 25 | # via a host side test |
| 26 | allow shell dev_type:dir r_dir_perms; |
| 27 | allow shell dev_type:chr_file getattr; |
| 28 | |
| 29 | # filesystem test for insucre blk_file's is done |
| 30 | # via hostside test |
| 31 | allow shell dev_type:blk_file getattr; |