blob: d6c3c0d38d0f0bb97305cc0ba14b819259793a09 [file] [log] [blame]
typeattribute shell coredomain;
# allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)
# Allow shell to run adb shell cmd stats commands. Needed for CTS.
binder_call(shell, statsd);
# Allow shell to launch microdroid_launcher in its own domain
# TODO(b/186396070) remove this when microdroid_manager can do this
domain_auto_trans(shell, microdroid_app_exec, microdroid_app)
domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager)
# Connect to adbd and use a socket transferred from it.
# This is used for e.g. adb backup/restore.
allow shell adbd:unix_stream_socket connectto;
allow shell adbd:fd use;
allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
# filesystem test for insecure chr_file's is done
# via a host side test
allow shell dev_type:dir r_dir_perms;
allow shell dev_type:chr_file getattr;
# filesystem test for insucre blk_file's is done
# via hostside test
allow shell dev_type:blk_file getattr;
# Test tool automatically tries to access /sys/class/power_supply.
# Suppressing it as we don't need power_supply in microdroid.
dontaudit shell sysfs:dir r_dir_perms;
# Test tool tries to read various service status properties.
get_prop(shell, boot_status_prop)
get_prop(shell, init_service_status_prop)
get_prop(shell, init_service_status_private_prop)
set_prop(shell, log_tag_prop)