Home Explore Help
Register Sign In
drachfly
/
android10
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
android10
/
system
/
sepolicy
/
private
/
shell.te

shell.te 2.4 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 
  1. typeattribute shell coredomain;
    2. 

  2. 

  3. # allow shell input injection
    4. 

  4. allow shell uhid_device:chr_file rw_file_perms;
    5. 

  5. 

  6. # systrace support - allow atrace to run
    7. 

  7. allow shell debugfs_tracing_debug:dir r_dir_perms;
    8. 

  8. allow shell debugfs_tracing:dir r_dir_perms;
    9. 

  9. allow shell debugfs_tracing:file rw_file_perms;
    10. 

  10. allow shell debugfs_trace_marker:file getattr;
    11. 

  11. allow shell atrace_exec:file rx_file_perms;
    12. 

  12. 

  13. userdebug_or_eng(`
    14. 

  14.   allow shell debugfs_tracing_debug:file rw_file_perms;
    15. 

  15. ')
    16. 

  16. 

  17. # read config.gz for CTS purposes
    18. 

  18. allow shell config_gz:file r_file_perms;
    19. 

  19. 

  20. # Run app_process.
    21. 

  21. # XXX Transition into its own domain?
    22. 

  22. app_domain(shell)
    23. 

  23. 

  24. # allow shell to call dumpsys storaged
    25. 

  25. binder_call(shell, storaged)
    26. 

  26. 

  27. # Perform SELinux access checks, needed for CTS
    28. 

  28. selinux_check_access(shell)
    29. 

  29. selinux_check_context(shell)
    30. 

  30. 

  31. # Control Perfetto traced and obtain traces from it.
    32. 

  32. # Needed for Studio and debugging.
    33. 

  33. unix_socket_connect(shell, traced_consumer, traced)
    34. 

  34. 

  35. # Allow shell binaries to write trace data to Perfetto. Used for testing and
    36. 

  36. # cmdline utils.
    37. 

  37. allow shell traced:fd use;
    38. 

  38. allow shell traced_tmpfs:file { read write getattr map };
    39. 

  39. unix_socket_connect(shell, traced_producer, traced)
    40. 

  40. 

  41. domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
    42. 

  42. 

  43. # Allow shell binaries to exec the perfetto cmdline util and have that
    44. 

  44. # transition into its own domain, so that it behaves consistently to
    45. 

  45. # when exec()-d by statsd.
    46. 

  46. domain_auto_trans(shell, perfetto_exec, perfetto)
    47. 

  47. # Allow to send SIGINT to perfetto when daemonized.
    48. 

  48. allow shell perfetto:process signal;
    49. 

  49. 

  50. # Allow shell to run adb shell cmd stats commands. Needed for CTS.
    51. 

  51. binder_call(shell, statsd);
    52. 

  52. 

  53. # Allow shell to read and unlink traces stored in /data/misc/perfetto-traces.
    54. 

  54. allow shell perfetto_traces_data_file:dir rw_dir_perms;
    55. 

  55. allow shell perfetto_traces_data_file:file { r_file_perms unlink };
    56. 

  56. 

  57. # Allow shell to run adb shell cmd gpu commands.
    58. 

  58. binder_call(shell, gpuservice);
    59. 

  59. 

  60. # Allow shell to use atrace HAL
    61. 

  61. hal_client_domain(shell, hal_atrace)
    62. 

  62. 

  63. # For hostside tests such as CTS listening ports test.
    64. 

  64. allow shell proc_net_tcp_udp:file r_file_perms;
    65. 

  65. 

  66. # The dl.exec_linker* tests need to execute /system/bin/linker
    67. 

  67. # b/124789393
    68. 

  68. allow shell system_linker_exec:file rx_file_perms;
    69. 

  69. 

  70. # Renderscript host side tests depend on being able to execute
    71. 

  71. # /system/bin/bcc (b/126388046)
    72. 

  72. allow shell rs_exec:file rx_file_perms;
    73. 

  73. 

  74. # Allow shell to start and comminicate with lpdumpd.
    75. 

  75. set_prop(shell, lpdumpd_prop);
    76. 

  76. binder_call(shell, lpdumpd)
    77.