Allow apps to execute the shell or system commands unconditionally.

Change-Id: I54af993bd478d6b8d0462d43950bb1a991131c82 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Allow apps to execute the shell or system commands unconditionally.
62508bf4 · Stephen Smalley · repo sync · 0141ccd0 · 62508bf4 · 62508bf4
Commit 62508bf4 authored 12 years ago by Stephen Smalley Committed by repo sync 12 years ago
--- a/app.te
+++ b/app.te
@@ -138,6 +138,10 @@ allow appdomain platform_app_data_file:file { getattr read write };
 allow appdomain system_data_file:dir r_dir_perms;
 allow appdomain system_data_file:file { execute open };

+# Execute the shell or other system executables.
+allow appdomain shell_exec:file rx_file_perms;
+allow appdomain system_file:file rx_file_perms;
+
 # Read/write wallpaper file (opened by system).
 allow appdomain wallpaper_file:file { read write };


--- a/cts.te
+++ b/cts.te
@@ -23,6 +23,10 @@ allow appdomain file_type:dir_file_class_set getattr;
 allow appdomain dev_type:dir_file_class_set getattr;
 allow appdomain fs_type:dir_file_class_set getattr;

+# Accesses to apk_tmp_file and shell_data_file
+allow appdomain apk_tmp_file:file rw_file_perms;
+allow appdomain shell_data_file:file r_file_perms;
+
 # Read permission over link file to devices.
 allow appdomain dev_type:lnk_file read;