b3cb9695c4
init_shell domain is now only used for shell commands or scripts invoked by init*.rc files, never for an interactive shell. It was being used for console service for a while but console service is now assigned shell domain via seclabel in init.rc. We may want to reconsider the shelldomain rules for init_shell and whether they are still appropriate. shell domain is now used by both adb shell and console service, both of which also run in the shell UID. su domain is now used not only for /system/bin/su but also for adbd and its descendants after an adb root is performed. Change-Id: I502ab98aafab7dafb8920ccaa25e8fde14a8f572 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
8 lines
336 B
Text
8 lines
336 B
Text
# Restricted domain for shell processes spawned by init.
|
|
# Normally these are shell commands or scripts invoked via sh
|
|
# from an init*.rc file. No service should ever run in this domain.
|
|
type init_shell, domain, shelldomain;
|
|
domain_auto_trans(init, shell_exec, init_shell)
|
|
unconfined_domain(init_shell)
|
|
|
|
# inherits from shelldomain.te
|