From b3cb9695c43d3b1353a10d35dd025ad7b9700365 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 21 Feb 2014 13:45:29 -0500
Subject: [PATCH] Clarify init_shell, shell, and su domain usage.

init_shell domain is now only used for shell commands or scripts
invoked by init*.rc files, never for an interactive shell.  It
was being used for console service for a while but console service
is now assigned shell domain via seclabel in init.rc.  We may want
to reconsider the shelldomain rules for init_shell and whether they
are still appropriate.

shell domain is now used by both adb shell and console service, both
of which also run in the shell UID.

su domain is now used not only for /system/bin/su but also for
adbd and its descendants after an adb root is performed.

Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 init_shell.te | 4 +++-
 shell.te      | 2 +-
 su.te         | 3 +++
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/init_shell.te b/init_shell.te
index 8ff5c488f..e1ca03a0c 100644
--- a/init_shell.te
+++ b/init_shell.te
@@ -1,4 +1,6 @@
-# Restricted domain for shell processes spawned by init
+# Restricted domain for shell processes spawned by init.
+# Normally these are shell commands or scripts invoked via sh
+# from an init*.rc file.  No service should ever run in this domain.
 type init_shell, domain, shelldomain;
 domain_auto_trans(init, shell_exec, init_shell)
 unconfined_domain(init_shell)
diff --git a/shell.te b/shell.te
index ad30802c7..b5f037705 100644
--- a/shell.te
+++ b/shell.te
@@ -1,4 +1,4 @@
-# Domain for shell processes spawned by ADB
+# Domain for shell processes spawned by ADB or console service.
 type shell, domain, shelldomain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;
 
diff --git a/su.te b/su.te
index 1317fb2a2..5ba57760f 100644
--- a/su.te
+++ b/su.te
@@ -2,6 +2,9 @@
 type su_exec, exec_type, file_type;
 
 userdebug_or_eng(`
+  # Domain used for su processes, as well as for adbd and adb shell
+  # after performing an adb root command.  The domain definition is
+  # wrapped to ensure that it does not exist at all on -user builds.
   type su, domain;
   domain_auto_trans(shell, su_exec, su)
 
-- 
GitLab