Merge "Revert "Revert "Ensure only com.android.shell can run in the shell domain."""

01624c82 · Treehugger Robot · Gerrit Code Review · daeea37e · 1a703fed · 01624c82
Commit 01624c82 authored 7 years ago by Treehugger Robot Committed by Gerrit Code Review 7 years ago
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -91,6 +91,10 @@ neverallow user=((?!_isolated).)* domain=isolated_app
 # uid's can be in shell domain
 neverallow user=shell domain=((?!shell).)*
+# only the package named com.android.shell can run in the shell domain
+neverallow domain=shell name=((?!com\.android\.shell).)*
+neverallow user=shell name=((?!com\.android\.shell).)*
 # Ephemeral Apps must run in the ephemeral_app domain
 neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
@@ -102,7 +106,7 @@ user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=secure_element seinfo=platform domain=secure_element levelFrom=all
 user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell type=shell_data_file
+user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
 user=_isolated domain=isolated_app levelFrom=user
 user=webview_zygote seinfo=webview_zygote domain=webview_zygote
 user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user