Skip to content
Snippets Groups Projects
Select Git revision
  • b300765095d05ecb40e23b262183dab6756810f0
  • master default protected
  • android-7.1.2_r28_klist
  • pie-cts-release
  • pie-vts-release
  • pie-cts-dev
  • oreo-mr1-iot-release
  • sdk-release
  • oreo-m6-s4-release
  • oreo-m4-s12-release
  • pie-release
  • pie-r2-release
  • pie-r2-s1-release
  • oreo-vts-release
  • oreo-cts-release
  • oreo-dev
  • oreo-mr1-dev
  • pie-gsi
  • pie-platform-release
  • pie-dev
  • oreo-cts-dev
  • android-o-mr1-iot-release-1.0.4
  • android-9.0.0_r8
  • android-9.0.0_r7
  • android-9.0.0_r6
  • android-9.0.0_r5
  • android-8.1.0_r46
  • android-8.1.0_r45
  • android-n-iot-release-smart-display-r2
  • android-vts-8.1_r5
  • android-cts-8.1_r8
  • android-cts-8.0_r12
  • android-cts-7.1_r20
  • android-cts-7.0_r24
  • android-o-mr1-iot-release-1.0.3
  • android-cts-9.0_r1
  • android-8.1.0_r43
  • android-8.1.0_r42
  • android-n-iot-release-smart-display
  • android-p-preview-5
  • android-9.0.0_r3
41 results

init_shell.te

Blame
    • Stephen Smalley's avatar
      b3cb9695
      Clarify init_shell, shell, and su domain usage. · b3cb9695
      Stephen Smalley authored 
      
init_shell domain is now only used for shell commands or scripts
invoked by init*.rc files, never for an interactive shell.  It
was being used for console service for a while but console service
is now assigned shell domain via seclabel in init.rc.  We may want
to reconsider the shelldomain rules for init_shell and whether they
are still appropriate.

shell domain is now used by both adb shell and console service, both
of which also run in the shell UID.

su domain is now used not only for /system/bin/su but also for
adbd and its descendants after an adb root is performed.

Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
      b3cb9695
      History
      Clarify init_shell, shell, and su domain usage.
      Stephen Smalley authored 
      
init_shell domain is now only used for shell commands or scripts
invoked by init*.rc files, never for an interactive shell.  It
was being used for console service for a while but console service
is now assigned shell domain via seclabel in init.rc.  We may want
to reconsider the shelldomain rules for init_shell and whether they
are still appropriate.

shell domain is now used by both adb shell and console service, both
of which also run in the shell UID.

su domain is now used not only for /system/bin/su but also for
adbd and its descendants after an adb root is performed.

Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572
Signed-off-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
    NOTICE 1.00 KiB 
    This configuration (sepolicy) is public domain, i.e. not copyrighted.

Warranty Exclusion
------------------
You agree that this software is a
non-commercially developed program that may contain "bugs" (as that
term is used in the industry) and that it may not function as intended.
The software is licensed "as is". NSA makes no, and hereby expressly
disclaims all, warranties, express, implied, statutory, or otherwise
with respect to the software, including noninfringement and the implied
warranties of merchantability and fitness for a particular purpose.

Limitation of Liability
-----------------------
In no event will NSA be liable for any damages, including loss of data,
lost profits, cost of cover, or other special, incidental,
consequential, direct or indirect damages arising from the software or
the use thereof, however caused and on any theory of liability. This
limitation will apply even if NSA has been advised of the possibility
of such damage. You acknowledge that this is a reasonable allocation of
risk.