commit 66c5beaecc54ee5862327f376d4f6bfa88f2cdab
author Jooyung Han <jooyung@google.com> Tue Feb 20 14:14:37 2024 +0900
committer Jooyung Han <jooyung@google.com> Wed Feb 21 11:13:14 2024 +0900
tree dc262386bf933d052cbf5f7b7a0379bc627ca8a8
parent f9f826fb301ae50fda5879949f4d9cafe4273f1d

Allow shell/toolbox for all domains

Bug: 324142245
Test: m (presubmit)
Change-Id: If408294d31c66241eca938ee2a681e6a9cf37ee2

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 2f107dd..3454fd1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -179,6 +179,35 @@
 # Allow all processes to connect to PRNG seeder daemon.
 unix_socket_connect(domain, prng_seeder, prng_seeder)
 
+# Allow calls to system(3), popen(3), ...
+allow {
+  domain
+  # Except domains that explicitly neverallow it.
+  -kernel
+  -init
+  -vendor_init
+  -app_zygote
+  -webview_zygote
+  -system_server
+  -artd
+  -audioserver
+  -cameraserver
+  -mediadrmserver
+  -mediaextractor
+  -mediametrics
+  -mediaserver
+  -mediatuner
+  -mediatranscoding
+  -ueventd
+  -hal_audio_server
+  -hal_camera_server
+  -hal_cas_server
+  -hal_codec2_server
+  -hal_configstore_server
+  -hal_drm_server
+  -hal_omx_server
+} {shell_exec toolbox_exec}:file rx_file_perms;
+
 # No domains other than a select few can access the misc_block_device. This
 # block device is reserved for OTA use.
 # Do not assert this rule on userdebug/eng builds, due to some devices using