48759ca205
Confine run-as (but leave permissive for now) and add other allow rules required for the use of run-as and ndk-gdb functionality. Change-Id: Ifae38233c091cd34013e98830d72aac4c4adcae0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
20 lines
563 B
Text
20 lines
563 B
Text
# Domain for shell processes spawned by ADB
|
|
type shell, domain;
|
|
type shell_exec, exec_type, file_type;
|
|
unconfined_domain(shell)
|
|
|
|
# Run app_process.
|
|
# XXX Split into its own domain?
|
|
app_domain(shell)
|
|
|
|
# shell is also permissive to permit setenforce.
|
|
permissive shell;
|
|
|
|
# ndk-gdb invokes adb shell ps to find the app PID.
|
|
r_dir_file(shell, non_system_app_set)
|
|
|
|
# ndk-gdb invokes adb shell ls to check the app data dir.
|
|
allow shell app_data_file:dir search;
|
|
|
|
# ndk-gdb invokes adb shell kill -9 to kill the gdbserver.
|
|
allow shell non_system_app_set:process sigkill;
|