Lines Matching refs:shell
1 # Domain for shell processes spawned by ADB or console service.
2 type shell, domain, mlstrustedsubject;
6 net_domain(shell)
9 read_logd(shell)
10 control_logd(shell)
12 allow shell pstorefs:dir search;
13 allow shell pstorefs:file r_file_perms;
16 allow shell rootfs:dir r_dir_perms;
19 allow shell anr_data_file:dir r_dir_perms;
20 allow shell anr_data_file:file r_file_perms;
23 allow shell shell_data_file:dir create_dir_perms;
24 allow shell shell_data_file:file create_file_perms;
25 allow shell shell_data_file:file rx_file_perms;
26 allow shell shell_data_file:lnk_file create_file_perms;
29 allow shell trace_data_file:file { r_file_perms unlink };
30 allow shell trace_data_file:dir { r_dir_perms remove_name write };
33 allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
34 allow shell profman_dump_data_file:file { unlink r_file_perms };
38 allow shell nativetest_data_file:dir r_dir_perms;
39 allow shell nativetest_data_file:file rx_file_perms;
43 unix_socket_connect(shell, dumpstate, dumpstate)
45 allow shell devpts:chr_file rw_file_perms;
46 allow shell tty_device:chr_file rw_file_perms;
47 allow shell console_device:chr_file rw_file_perms;
49 allow shell input_device:dir r_dir_perms;
50 allow shell input_device:chr_file r_file_perms;
52 r_dir_file(shell, system_file)
53 allow shell system_file:file x_file_perms;
54 allow shell toolbox_exec:file rx_file_perms;
55 allow shell tzdatacheck_exec:file rx_file_perms;
56 allow shell shell_exec:file rx_file_perms;
57 allow shell zygote_exec:file rx_file_perms;
59 r_dir_file(shell, apk_data_file)
63 allow shell boottrace_data_file:dir rw_dir_perms;
64 allow shell boottrace_data_file:file create_file_perms;
67 # allow shell access to services
68 allow shell servicemanager:service_manager list;
69 # don't allow shell to access GateKeeper service
72 allow shell {
87 allow shell dumpstate:binder call;
89 # allow shell to get information from hwservicemanager
91 hwbinder_use(shell)
92 allow shell hwservicemanager:hwservice_manager list;
94 # allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
95 r_dir_file(shell, proc_net_type)
97 allow shell {
115 allow shell sysfs_net:dir r_dir_perms;
117 r_dir_file(shell, cgroup)
118 allow shell domain:dir { search open read getattr };
119 allow shell domain:{ file lnk_file } { open read getattr };
123 allow shell { proc labeledfs }:filesystem getattr;
126 allow shell device:dir getattr;
128 # allow shell to read /proc/pid/attr/current for ps -Z
129 allow shell domain:process getattr;
132 allow shell selinuxfs:dir r_dir_perms;
133 allow shell selinuxfs:file r_file_perms;
135 # enable shell domain to read/write files/dirs for bootchart data
136 # User will creates the start and stop file via adb shell
138 allow shell bootchart_data_file:dir rw_dir_perms;
139 allow shell bootchart_data_file:file create_file_perms;
141 # Make sure strace works for the non-privileged shell user
142 allow shell self:process ptrace;
144 # allow shell to get battery info
145 allow shell sysfs:dir r_dir_perms;
146 allow shell sysfs_batteryinfo:dir r_dir_perms;
147 allow shell sysfs_batteryinfo:file r_file_perms;
150 allow shell ion_device:chr_file rw_file_perms;
156 allow shell dev_type:dir r_dir_perms;
157 allow shell dev_type:chr_file getattr;
160 allow shell proc:lnk_file getattr;
166 allow shell dev_type:blk_file getattr;
169 allow shell file_contexts_file:file r_file_perms;
170 allow shell property_contexts_file:file r_file_perms;
171 allow shell seapp_contexts_file:file r_file_perms;
172 allow shell service_contexts_file:file r_file_perms;
173 allow shell sepolicy_file:file r_file_perms;
175 # Allow shell to start up vendor shell
176 allow shell vendor_shell_exec:file rx_file_perms;
178 # Everything is labeled as rootfs in recovery mode. Allow shell to
181 allow shell rootfs:file rx_file_perms;
188 # Do not allow shell to hard link to any files.
189 # In particular, if shell hard links to app data
192 # bugs, so we want to ensure the shell user never has this
194 neverallow shell file_type:file link;
197 neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
199 # limit shell access to sensitive char drivers to
201 neverallow shell {
207 # Limit shell to only getattr on blk devices for host side tests.
208 neverallow shell dev_type:blk_file ~getattr;
211 # vector. The shell user can inject events that look like they
215 # their stress tests, and the input command (adb shell input ...) for
217 neverallow shell input_device:chr_file no_w_file_perms;