14e2e9261f
Remove SELinux access from domain_deprecated. Access to SELinux APIs can be granted on a per-domain basis. Remove appdomain access to SELinux APIs. SELinux APIs are not public and are not intended for application use. In particular, some exploits poll on /sys/fs/selinux/enforce to determine if the attack was successful, and we want to ensure that the behavior isn't allowed. This access was only granted in the past for CTS purposes, but all the relevant CTS tests have been moved to the shell domain. Bug: 27756382 Bug: 28760354 Test: Device boots and no obvious problems. No collected denials. Change-Id: Ide68311bd0542671c8ebf9df0326e512a1cf325b
19 lines
563 B
Text
19 lines
563 B
Text
typeattribute shell coredomain;
|
|
|
|
# systrace support - allow atrace to run
|
|
allow shell debugfs_tracing:dir r_dir_perms;
|
|
allow shell debugfs_tracing:file r_file_perms;
|
|
allow shell tracing_shell_writable:file rw_file_perms;
|
|
allow shell debugfs_trace_marker:file getattr;
|
|
allow shell atrace_exec:file rx_file_perms;
|
|
|
|
# Run app_process.
|
|
# XXX Transition into its own domain?
|
|
app_domain(shell)
|
|
|
|
# allow shell to call dumpsys storaged
|
|
binder_call(shell, storaged)
|
|
|
|
# Perform SELinux access checks, needed for CTS
|
|
selinux_check_access(shell)
|
|
selinux_check_context(shell)
|