Allow shell to start vendor shell
Test: adb shell /vendor/bin/sh Fixes: 65448858 Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6
This commit is contained in:
Yifan Hong
parent
ee268643c1
commit
00ab5d86be
5 changed files with 25 additions and 3 deletions
|
|
@ -84,6 +84,7 @@
|
|||
update_engine_log_data_file
|
||||
vendor_default_prop
|
||||
vendor_init
|
||||
vendor_shell
|
||||
vold_prepare_subdirs
|
||||
vold_prepare_subdirs_exec
|
||||
vold_service
|
||||
|
|
|
|||
|
|
@ -36,3 +36,5 @@ unix_socket_connect(shell, traced_consumer, traced)
|
|||
allow shell traced:fd use;
|
||||
allow shell traced_tmpfs:file { read write getattr map };
|
||||
unix_socket_connect(shell, traced_producer, traced)
|
||||
|
||||
domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
|
||||
|
|
|
|||
|
|
@ -874,6 +874,7 @@ full_treble_only(`
|
|||
coredomain
|
||||
-init
|
||||
-vendor_init
|
||||
-shell
|
||||
} vendor_shell_exec:file { execute execute_no_trans };
|
||||
|
||||
# Do not allow vendor components to execute files from system
|
||||
|
|
|
|||
|
|
@ -185,6 +185,9 @@ allow shell seapp_contexts_file:file r_file_perms;
|
|||
allow shell service_contexts_file:file r_file_perms;
|
||||
allow shell sepolicy_file:file r_file_perms;
|
||||
|
||||
# Allow shell to start up vendor shell
|
||||
allow shell vendor_shell_exec:file rx_file_perms;
|
||||
|
||||
###
|
||||
### Neverallow rules
|
||||
###
|
||||
|
|
|
|||
|
|
@ -1,4 +1,19 @@
|
|||
# vendor shell MUST never run as interactive or login shell.
|
||||
# vendor shell CAN never be traisitioned to by any process, so it is
|
||||
# only intended by shell script interpreter.
|
||||
type vendor_shell, domain;
|
||||
type vendor_shell_exec, exec_type, vendor_file_type, file_type;
|
||||
|
||||
allow vendor_shell vendor_shell_exec:file rx_file_perms;
|
||||
allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
|
||||
|
||||
# Use fd from shell when vendor_shell is started from shell
|
||||
allow vendor_shell shell:fd use;
|
||||
|
||||
# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
|
||||
allow vendor_shell adbd:fd use;
|
||||
allow vendor_shell adbd:process sigchld;
|
||||
allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
|
||||
|
||||
allow vendor_shell devpts:chr_file rw_file_perms;
|
||||
allow vendor_shell tty_device:chr_file rw_file_perms;
|
||||
allow vendor_shell console_device:chr_file rw_file_perms;
|
||||
allow vendor_shell input_device:dir r_dir_perms;
|
||||
allow vendor_shell input_device:chr_file rw_file_perms;
|
||||
|
|
|
|||
Loading…
Reference in a new issue