platform_system_sepolicy/private/shell.te

# systrace support - allow atrace to run
allow shell debugfs_tracing:dir r_dir_perms;
allow shell debugfs_tracing:file rw_file_perms;
allow shell debugfs_trace_marker:file getattr;
allow shell atrace_exec:file rx_file_perms;

# app_domain fallout
tmpfs_domain(shell)
# Map with PROT_EXEC.
allow shell shell_tmpfs:file execute;
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317 2016-10-12 23:58:09 +02:00			`# systrace support - allow atrace to run`
			`allow shell debugfs_tracing:dir r_dir_perms;`
			`allow shell debugfs_tracing:file rw_file_perms;`
			`allow shell debugfs_trace_marker:file getattr;`
			`allow shell atrace_exec:file rx_file_perms;`

			`# app_domain fallout`
			`tmpfs_domain(shell)`
			`# Map with PROT_EXEC.`
			`allow shell shell_tmpfs:file execute;`