2b732237d1
Read access to /dev/log/* is no longer restricted. Filtering on reads is performed per-uid by the kernel logger driver. Change-Id: Ia986cbe66b84f3898e858c60f12c7f3d63ac47cf Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
34 lines
1.1 KiB
Text
34 lines
1.1 KiB
Text
type shell, domain, mlstrustedsubject;
|
|
type shell_exec, file_type;
|
|
domain_auto_trans(init, shell_exec, shell)
|
|
allow shell rootfs:dir r_dir_perms;
|
|
allow shell devpts:chr_file rw_file_perms;
|
|
allow shell tty_device:chr_file rw_file_perms;
|
|
allow shell console_device:chr_file rw_file_perms;
|
|
allow shell input_device:chr_file rw_file_perms;
|
|
allow shell system_file:file x_file_perms;
|
|
allow shell shell_exec:file rx_file_perms;
|
|
allow shell zygote_exec:file rx_file_perms;
|
|
allow shell shell_data_file:dir create_dir_perms;
|
|
allow shell shell_data_file:file create_file_perms;
|
|
allow shell shell_data_file:file rx_file_perms;
|
|
|
|
# Access sdcard.
|
|
allow shell sdcard_type:dir rw_dir_perms;
|
|
allow shell sdcard_type:file create_file_perms;
|
|
|
|
r_dir_file(shell, apk_data_file)
|
|
allow shell dalvikcache_data_file:file { write setattr };
|
|
|
|
# Run app_process.
|
|
# XXX Split into its own domain?
|
|
app_domain(shell)
|
|
|
|
# Property Service
|
|
allow shell shell_prop:property_service set;
|
|
|
|
# setprop toolbox command
|
|
unix_socket_connect(shell, property, init)
|
|
|
|
# ctl interface
|
|
allow shell ctl_dumpstate_prop:property_service set;
|