1# Domain for shell processes spawned by ADB or console service. 2type shell, domain, mlstrustedsubject; 3type shell_exec, exec_type, file_type; 4 5# Create and use network sockets. 6net_domain(shell) 7 8# Run app_process. 9# XXX Transition into its own domain? 10app_domain(shell) 11 12# logd access 13read_logd(shell) 14control_logd(shell) 15 16# read files in /data/anr 17allow shell anr_data_file:dir r_dir_perms; 18allow shell anr_data_file:file r_file_perms; 19 20# Access /data/local/tmp. 21allow shell shell_data_file:dir create_dir_perms; 22allow shell shell_data_file:file create_file_perms; 23allow shell shell_data_file:file rx_file_perms; 24 25# adb bugreport 26unix_socket_connect(shell, dumpstate, dumpstate) 27 28allow shell devpts:chr_file rw_file_perms; 29allow shell tty_device:chr_file rw_file_perms; 30allow shell console_device:chr_file rw_file_perms; 31allow shell input_device:dir r_dir_perms; 32allow shell input_device:chr_file rw_file_perms; 33allow shell system_file:file x_file_perms; 34allow shell shell_exec:file rx_file_perms; 35allow shell zygote_exec:file rx_file_perms; 36 37r_dir_file(shell, apk_data_file) 38 39# Set properties. 40unix_socket_connect(shell, property, init) 41allow shell shell_prop:property_service set; 42allow shell ctl_dumpstate_prop:property_service set; 43allow shell debug_prop:property_service set; 44allow shell powerctl_prop:property_service set; 45 46# systrace support - allow atrace to run 47# debugfs doesn't support labeling individual files, so we have 48# to grant read access to all of /sys/kernel/debug. 49# Directory read access and file write access is already granted 50# in domain.te. 51allow shell debugfs:file r_file_perms; 52 53# allow shell to run dmesg 54allow shell kernel:system syslog_read; 55