Skip to content
Snippets Groups Projects
Normal view Permalink
shell.te 743 B
Newer Older
  • Learn to ignore specific revisions
    • Alex Klyubin's avatar
    Vendor domains must not use Binder  
    Alex Klyubin committed
    1 2 
    typeattribute shell coredomain;
    Siarhei Vishniakou's avatar
    Allow shell access on /dev/uhid node  
    Siarhei Vishniakou committed
    3 4 5 
    # allow shell input injection
allow shell uhid_device:chr_file rw_file_perms;
    dcashman's avatar
    sepolicy: add version_policy tool and version non-platform policy.
    dcashman committed
    6 7 
    # systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
    Joel Galenson's avatar
    Move file labeling to genfs_contexts.  
    Joel Galenson committed
    8 
    allow shell debugfs_tracing:file rw_file_perms;
    dcashman's avatar
    sepolicy: add version_policy tool and version non-platform policy.
    dcashman committed
    9 10 11 
    allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;
    Yifan Hong's avatar
    Allow adbd and shell to read /proc/config.gz  
    Yifan Hong committed
    12 13 14 
    # read config.gz for CTS purposes
allow shell config_gz:file r_file_perms;
    Carmen Jackson's avatar
    Add selinux rules for additional file contexts in userdebug  
    Carmen Jackson committed
    15 
    userdebug_or_eng(`
    Joel Galenson's avatar
    Properly give some files the debugfs_tracing context only in debug mode.  
    Joel Galenson committed
    16 
      allow shell debugfs_tracing_debug:file rw_file_perms;
    Carmen Jackson's avatar
    Add selinux rules for additional file contexts in userdebug  
    Carmen Jackson committed
    17 18 
    ')
    dcashman's avatar
    Restore app_domain macro and move to private use.  
    dcashman committed
    19 20 21 
    # Run app_process.
# XXX Transition into its own domain?
app_domain(shell)
    Jin Qian's avatar
    storaged: allow shell to call dumpsys storaged  
    Jin Qian committed
    22 23 24 
    
# allow shell to call dumpsys storaged
binder_call(shell, storaged)
    Nick Kralevich's avatar
    Further restrict SELinux API access  
    Nick Kralevich committed
    25 26 27 28 
    
# Perform SELinux access checks, needed for CTS
selinux_check_access(shell)
selinux_check_context(shell)