From d1fa4d3d92c88bde9ecd118c178d0297d0f30f9b Mon Sep 17 00:00:00 2001
From: William Roberts <william.c.roberts@linux.intel.com>
Date: Wed, 13 May 2015 17:06:37 -0700
Subject: [PATCH] neverallow transitions to shell

Only a few daemons need transition to shell. Prevent
misuse and over-privileging of shell domain.

Change-Id: Ib1a5611e356d7a66c2e008232c565035e3fc4956
Signed-off-by: William Roberts <william.c.roberts@linux.intel.com>
---
 domain.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/domain.te b/domain.te
index 3192ace52..bd59be158 100644
--- a/domain.te
+++ b/domain.te
@@ -429,3 +429,16 @@ neverallow {
 # do not grant anything greater than r_file_perms and relabelfrom unlink
 # to installd
 neverallow installd system_data_file:file ~{ r_file_perms relabelfrom unlink };
+
+#
+# Only these domains should transition to shell domain. This domain is
+# permissible for the "shell user". If you need a process to exec a shell
+# script with differing privilege, define a domain and set up a transition.
+#
+neverallow {
+  domain
+  -adbd
+  -init
+  -runas
+  -zygote
+} shell:process { transition dyntransition };
-- 
GitLab