tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/shelldomain.te
Nick Kralevich 20a791a4f2 shell: allow setting debug_prop and powerctl_prop 
Allow the shell user to set debug.* properties.
This allows systrace to work on Android.

Allow the shell user to set sys.powerctl, to allow reboots
to work.

Addresses the following denials:

<4>[ 2141.449722] avc:  denied  { set } for property=debug.atrace.tags.enableflags scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.450820] avc:  denied  { set } for property=debug.atrace.app_cmdlines scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.506703] avc:  denied  { set } for property=debug.atrace.tags.enableflags scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service
<4>[ 2141.507591] avc:  denied  { set } for property=debug.atrace.app_cmdlines scontext=u:r:shell:s0 tcontext=u:object_r:debug_prop:s0 tclass=property_service

Bug: 12231073
Change-Id: Iaba1db06ba287c7d5d10ce287833c57238e03bb6
2013-12-20 08:16:31 -08:00

42 lines
1.5 KiB
Text
Raw Blame History

# Rules for all shell domains (e.g. console service and adb shell).
# Access /data/local/tmp.
allow shelldomain shell_data_file:dir create_dir_perms;
allow shelldomain shell_data_file:file create_file_perms;
allow shelldomain shell_data_file:file rx_file_perms;
# Access sdcard.
allow shelldomain sdcard_type:dir rw_dir_perms;
allow shelldomain sdcard_type:file create_file_perms;
# adb bugreport
unix_socket_connect(shelldomain, dumpstate, dumpstate)
allow shelldomain rootfs:dir r_dir_perms;
allow shelldomain devpts:chr_file rw_file_perms;
allow shelldomain tty_device:chr_file rw_file_perms;
allow shelldomain console_device:chr_file rw_file_perms;
allow shelldomain input_device:chr_file rw_file_perms;
allow shelldomain system_file:file x_file_perms;
allow shelldomain shell_exec:file rx_file_perms;
allow shelldomain zygote_exec:file rx_file_perms;
r_dir_file(shelldomain, apk_data_file)
allow shelldomain dalvikcache_data_file:file { write setattr };
# Set properties.
unix_socket_connect(shelldomain, property, init)
allow shelldomain shell_prop:property_service set;
allow shelldomain ctl_dumpstate_prop:property_service set;
allow shelldomain debug_prop:property_service set;
allow shelldomain powerctl_prop:property_service set;
# ndk-gdb invokes adb shell ps to find the app PID.
r_dir_file(shelldomain, non_system_app_set)
# ndk-gdb invokes adb shell ls to check the app data dir.
allow shelldomain app_data_file:dir search;
# ps and ps -Z output for app processes.
r_dir_file(shelldomain, appdomain)
allow shelldomain appdomain:process getattr;
Reference in a new issue View git blame Copy permalink