712ca0a4d5
Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
9 lines
243 B
Text
9 lines
243 B
Text
# Domain for shell processes spawned by ADB
|
|
type shell, domain, shelldomain, mlstrustedsubject;
|
|
type shell_exec, exec_type, file_type;
|
|
|
|
# Run app_process.
|
|
# XXX Transition into its own domain?
|
|
app_domain(shell)
|
|
|
|
# inherits from shelldomain.te
|