712ca0a4d5
Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
6 lines
204 B
Text
6 lines
204 B
Text
# Restricted domain for shell processes spawned by init
|
|
type init_shell, domain, shelldomain;
|
|
domain_auto_trans(init, shell_exec, init_shell)
|
|
unconfined_domain(init_shell)
|
|
|
|
# inherits from shelldomain.te
|