From 646202704d869055784ab8561535e85f9d29734e Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@linux.intel.com>
Date: Wed, 13 May 2015 17:06:37 -0700
Subject: [PATCH] neverallow transitions to shell

Only a few daemons need transition to shell. Prevent
misuse and over-privileging of shell domain.

Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
(cherry picked from commit d1fa4d3d92c88bde9ecd118c178d0297d0f30f9b)

Bug: 21924438
Change-Id: I013143cc5ab1e95bf3f7388ce51619e0e3b18425
---
 domain.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/domain.te b/domain.te
index 3775c95da..93314571f 100644
--- a/domain.te
+++ b/domain.te
@@ -443,3 +443,16 @@ neverallow {
 # do not grant anything greater than r_file_perms and relabelfrom unlink
 # to installd
 neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
+
+#
+# Only these domains should transition to shell domain. This domain is
+# permissible for the "shell user". If you need a process to exec a shell
+# script with differing privilege, define a domain and set up a transition.
+#
+neverallow {
+  domain
+  -adbd
+  -init
+  -runas
+  -zygote
+} shell:process { transition dyntransition };
-- 
GitLab