Lines Matching refs:shell

1 # Domain for shell processes spawned by ADB or console service.
2 type shell, domain, mlstrustedsubject;
6 net_domain(shell)
9 read_logd(shell)
10 control_logd(shell)
12 allow shell pstorefs:dir search;
13 allow shell pstorefs:file r_file_perms;
16 allow shell rootfs:dir r_dir_perms;
19 allow shell anr_data_file:dir r_dir_perms;
20 allow shell anr_data_file:file r_file_perms;
23 allow shell shell_data_file:dir create_dir_perms;
24 allow shell shell_data_file:file create_file_perms;
25 allow shell shell_data_file:file rx_file_perms;
26 allow shell shell_data_file:lnk_file create_file_perms;
29 allow shell trace_data_file:file { r_file_perms unlink };
30 allow shell trace_data_file:dir { r_dir_perms remove_name write };
33 allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
34 allow shell profman_dump_data_file:file { unlink r_file_perms };
38   allow shell nativetest_data_file:dir r_dir_perms;
39   allow shell nativetest_data_file:file rx_file_perms;
43 unix_socket_connect(shell, dumpstate, dumpstate)
45 allow shell devpts:chr_file rw_file_perms;
46 allow shell tty_device:chr_file rw_file_perms;
47 allow shell console_device:chr_file rw_file_perms;
48 allow shell input_device:dir r_dir_perms;
49 allow shell input_device:chr_file rw_file_perms;
50 r_dir_file(shell, system_file)
51 allow shell system_file:file x_file_perms;
52 allow shell toolbox_exec:file rx_file_perms;
53 allow shell tzdatacheck_exec:file rx_file_perms;
54 allow shell shell_exec:file rx_file_perms;
55 allow shell zygote_exec:file rx_file_perms;
57 r_dir_file(shell, apk_data_file)
60 set_prop(shell, shell_prop)
61 set_prop(shell, ctl_bugreport_prop)
62 set_prop(shell, ctl_dumpstate_prop)
63 set_prop(shell, dumpstate_prop)
64 set_prop(shell, exported_dumpstate_prop)
65 set_prop(shell, debug_prop)
66 set_prop(shell, powerctl_prop)
67 set_prop(shell, log_tag_prop)
68 set_prop(shell, wifi_log_prop)
69 # Allow shell to start/stop traced via the persist.traced.enable
71 set_prop(shell, traced_enabled_prop)
73 userdebug_or_eng(`set_prop(shell, log_prop)')
75 userdebug_or_eng(`set_prop(shell, logpersistd_logging_prop)')
79   allow shell boottrace_data_file:dir rw_dir_perms;
80   allow shell boottrace_data_file:file create_file_perms;
81   set_prop(shell, persist_debug_prop)
85 get_prop(shell, serialno_prop)
87 # Allow shell to read the vendor security patch level for CTS
88 get_prop(shell, vendor_security_patch_level_prop)
91 get_prop(shell, device_logging_prop)
94 get_prop(shell, bootloader_boot_reason_prop)
95 get_prop(shell, last_boot_reason_prop)
96 get_prop(shell, system_boot_reason_prop)
98 # allow shell access to services
99 allow shell servicemanager:service_manager list;
100 # don't allow shell to access GateKeeper service
103 allow shell {
113 allow shell dumpstate:binder call;
115 # allow shell to get information from hwservicemanager
117 hwbinder_use(shell)
118 allow shell hwservicemanager:hwservice_manager list;
120 # allow shell to look through /proc/ for lsmod, ps, top, netstat.
121 r_dir_file(shell, proc_net)
123 allow shell {
138 allow shell sysfs_net:dir r_dir_perms;
140 r_dir_file(shell, cgroup)
141 allow shell domain:dir { search open read getattr };
142 allow shell domain:{ file lnk_file } { open read getattr };
146 allow shell { proc labeledfs }:filesystem getattr;
149 allow shell device:dir getattr;
151 # allow shell to read /proc/pid/attr/current for ps -Z
152 allow shell domain:process getattr;
155 allow shell selinuxfs:dir r_dir_perms;
156 allow shell selinuxfs:file r_file_perms;
158 # enable shell domain to read/write files/dirs for bootchart data
159 # User will creates the start and stop file via adb shell
161 allow shell bootchart_data_file:dir rw_dir_perms;
162 allow shell bootchart_data_file:file create_file_perms;
164 # Make sure strace works for the non-privileged shell user
165 allow shell self:process ptrace;
167 # allow shell to get battery info
168 allow shell sysfs:dir r_dir_perms;
169 allow shell sysfs_batteryinfo:dir r_dir_perms;
170 allow shell sysfs_batteryinfo:file r_file_perms;
173 allow shell ion_device:chr_file rw_file_perms;
179 allow shell dev_type:dir r_dir_perms;
180 allow shell dev_type:chr_file getattr;
183 allow shell proc:lnk_file getattr;
189 allow shell dev_type:blk_file getattr;
192 allow shell file_contexts_file:file r_file_perms;
193 allow shell property_contexts_file:file r_file_perms;
194 allow shell seapp_contexts_file:file r_file_perms;
195 allow shell service_contexts_file:file r_file_perms;
196 allow shell sepolicy_file:file r_file_perms;
198 # Allow shell to start up vendor shell
199 allow shell vendor_shell_exec:file rx_file_perms;
205 # Do not allow shell to hard link to any files.
206 # In particular, if shell hard links to app data
209 # bugs, so we want to ensure the shell user never has this
211 neverallow shell file_type:file link;
214 neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
216 # limit shell access to sensitive char drivers to
218 neverallow shell {
225 # Limit shell to only getattr on blk devices for host side tests.
226 neverallow shell dev_type:blk_file ~getattr;