| typeattribute shell coredomain; |
| |
| # allow shell input injection |
| allow shell uhid_device:chr_file rw_file_perms; |
| |
| # Perform SELinux access checks, needed for CTS |
| selinux_check_access(shell) |
| selinux_check_context(shell) |
| |
| # Allow shell to run adb shell cmd stats commands. Needed for CTS. |
| binder_call(shell, statsd); |
| |
| # Allow shell to launch microdroid_launcher in its own domain |
| # TODO(b/186396070) remove this when microdroid_manager can do this |
| domain_auto_trans(shell, microdroid_app_exec, microdroid_app) |
| domain_auto_trans(shell, microdroid_manager_exec, microdroid_manager) |
| |
| # Connect to adbd and use a socket transferred from it. |
| # This is used for e.g. adb backup/restore. |
| allow shell adbd:unix_stream_socket connectto; |
| allow shell adbd:fd use; |
| allow shell adbd:unix_stream_socket { getattr getopt ioctl read write shutdown }; |
| |
| # filesystem test for insecure chr_file's is done |
| # via a host side test |
| allow shell dev_type:dir r_dir_perms; |
| allow shell dev_type:chr_file getattr; |
| |
| # filesystem test for insucre blk_file's is done |
| # via hostside test |
| allow shell dev_type:blk_file getattr; |
| |
| # Test tool automatically tries to access /sys/class/power_supply. |
| # Suppressing it as we don't need power_supply in microdroid. |
| dontaudit shell sysfs:dir r_dir_perms; |
| |
| # Test tool tries to read various service status properties. |
| get_prop(shell, boot_status_prop) |
| get_prop(shell, init_service_status_prop) |
| get_prop(shell, init_service_status_private_prop) |
| |
| set_prop(shell, log_tag_prop) |