# Domain for shell processes spawned by ADB or console service. type shell, domain; type shell_exec, system_file_type, exec_type, file_type; # Root fs. allow shell rootfs:dir r_dir_perms; # Access /data/local/tmp. allow shell shell_data_file:dir create_dir_perms; allow shell shell_data_file:file create_file_perms; allow shell shell_data_file:file rx_file_perms; allow shell shell_data_file:lnk_file create_file_perms; allow shell devpts:chr_file rw_file_perms; allow shell tty_device:chr_file rw_file_perms; allow shell console_device:chr_file rw_file_perms; r_dir_file(shell, system_file) allow shell system_file:file x_file_perms; allow shell toolbox_exec:file rx_file_perms; allow shell shell_exec:file rx_file_perms; # allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat. r_dir_file(shell, proc_net_type) allow shell { proc_asound proc_filesystems proc_interrupts proc_loadavg # b/124024827 proc_meminfo proc_modules proc_pid_max proc_slabinfo proc_stat proc_timer proc_uptime proc_version proc_vmstat proc_zoneinfo }:file r_file_perms; # allow listing network interfaces under /sys/class/net. allow shell sysfs_net:dir r_dir_perms; r_dir_file(shell, cgroup) allow shell cgroup_desc_file:file r_file_perms; allow shell cgroup_desc_api_file:file r_file_perms; r_dir_file(shell, cgroup_v2) allow shell domain:dir { search open read getattr }; allow shell domain:{ file lnk_file } { open read getattr }; # statvfs() of /proc and other labeled filesystems # (yaffs2, jffs2, ext2, ext3, ext4, xfs, btrfs, f2fs, squashfs, overlay) allow shell { proc labeledfs }:filesystem getattr; # stat() of /dev allow shell device:dir getattr; # allow shell to read /proc/pid/attr/current for ps -Z allow shell domain:process getattr; # Allow pulling the SELinux policy for CTS purposes allow shell selinuxfs:dir r_dir_perms; allow shell selinuxfs:file r_file_perms; # /dev/fd is a symlink allow shell proc:lnk_file getattr; # read selinux policy files allow shell file_contexts_file:file r_file_perms; allow shell property_contexts_file:file r_file_perms; allow shell service_contexts_file:file r_file_perms; allow shell sepolicy_file:file r_file_perms;