platform_system_sepolicy/shell.te

# Domain for shell processes spawned by ADB or console service.
type shell, domain, mlstrustedsubject;
type shell_exec, exec_type, file_type;

# Create and use network sockets.
net_domain(shell)

# Run app_process.
# XXX Transition into its own domain?
app_domain(shell)

# logd access
read_logd(shell)
control_logd(shell)

# read files in /data/anr
allow shell anr_data_file:dir r_dir_perms;
allow shell anr_data_file:file r_file_perms;

# Access /data/local/tmp.
allow shell shell_data_file:dir create_dir_perms;
allow shell shell_data_file:file create_file_perms;
allow shell shell_data_file:file rx_file_perms;

# adb bugreport
unix_socket_connect(shell, dumpstate, dumpstate)

allow shell rootfs:dir r_dir_perms;
allow shell devpts:chr_file rw_file_perms;
allow shell tty_device:chr_file rw_file_perms;
allow shell console_device:chr_file rw_file_perms;
allow shell input_device:dir r_dir_perms;
allow shell input_device:chr_file rw_file_perms;
allow shell system_file:file x_file_perms;
allow shell shell_exec:file rx_file_perms;
allow shell zygote_exec:file rx_file_perms;

r_dir_file(shell, apk_data_file)

# Set properties.
unix_socket_connect(shell, property, init)
allow shell shell_prop:property_service set;
allow shell ctl_dumpstate_prop:property_service set;
allow shell debug_prop:property_service set;
allow shell powerctl_prop:property_service set;

# systrace support - allow atrace to run
# debugfs doesn't support labeling individual files, so we have
# to grant read access to all of /sys/kernel/debug.
# Directory read access and file write access is already granted
# in domain.te.
allow shell debugfs:file r_file_perms;

# allow shell to run dmesg
allow shell kernel:system syslog_read;