Lines Matching refs:shell

1 # Domain for shell processes spawned by ADB or console service.
2 type shell, domain, mlstrustedsubject;
6 net_domain(shell)
9 read_logd(shell)
10 control_logd(shell)
12 allow shell pstorefs:dir search;
13 allow shell pstorefs:file r_file_perms;
16 allow shell rootfs:dir r_dir_perms;
19 allow shell anr_data_file:dir r_dir_perms;
20 allow shell anr_data_file:file r_file_perms;
23 allow shell shell_data_file:dir create_dir_perms;
24 allow shell shell_data_file:file create_file_perms;
25 allow shell shell_data_file:file rx_file_perms;
26 allow shell shell_data_file:lnk_file create_file_perms;
29 allow shell shell_test_data_file:dir create_dir_perms;
30 allow shell shell_test_data_file:file create_file_perms;
31 allow shell shell_test_data_file:file rx_file_perms;
32 allow shell shell_test_data_file:lnk_file create_file_perms;
33 allow shell shell_test_data_file:sock_file create_file_perms;
36 allow shell trace_data_file:file { r_file_perms unlink };
37 allow shell trace_data_file:dir { r_dir_perms remove_name write };
40 allow shell profman_dump_data_file:dir { write remove_name r_dir_perms };
41 allow shell profman_dump_data_file:file { unlink r_file_perms };
45   allow shell nativetest_data_file:dir r_dir_perms;
46   allow shell nativetest_data_file:file rx_file_perms;
50 unix_socket_connect(shell, dumpstate, dumpstate)
52 allow shell devpts:chr_file rw_file_perms;
53 allow shell tty_device:chr_file rw_file_perms;
54 allow shell console_device:chr_file rw_file_perms;
56 allow shell input_device:dir r_dir_perms;
57 allow shell input_device:chr_file r_file_perms;
59 r_dir_file(shell, system_file)
60 allow shell system_file:file x_file_perms;
61 allow shell toolbox_exec:file rx_file_perms;
62 allow shell tzdatacheck_exec:file rx_file_perms;
63 allow shell shell_exec:file rx_file_perms;
64 allow shell zygote_exec:file rx_file_perms;
66 r_dir_file(shell, apk_data_file)
70   allow shell boottrace_data_file:dir rw_dir_perms;
71   allow shell boottrace_data_file:file create_file_perms;
74 # allow shell access to services
75 allow shell servicemanager:service_manager list;
76 # don't allow shell to access GateKeeper service
79 allow shell {
95 allow shell dumpstate:binder call;
97 # allow shell to get information from hwservicemanager
99 hwbinder_use(shell)
100 allow shell hwservicemanager:hwservice_manager list;
102 # allow shell to look through /proc/ for lsmod, ps, top, netstat, vmstat.
103 r_dir_file(shell, proc_net_type)
105 allow shell {
123 allow shell sysfs_net:dir r_dir_perms;
125 r_dir_file(shell, cgroup)
126 allow shell cgroup_desc_file:file r_file_perms;
127 allow shell cgroup_desc_api_file:file r_file_perms;
128 allow shell vendor_cgroup_desc_file:file r_file_perms;
129 r_dir_file(shell, cgroup_v2)
130 allow shell domain:dir { search open read getattr };
131 allow shell domain:{ file lnk_file } { open read getattr };
135 allow shell { proc labeledfs }:filesystem getattr;
138 allow shell device:dir getattr;
140 # allow shell to read /proc/pid/attr/current for ps -Z
141 allow shell domain:process getattr;
144 allow shell selinuxfs:dir r_dir_perms;
145 allow shell selinuxfs:file r_file_perms;
147 # enable shell domain to read/write files/dirs for bootchart data
148 # User will creates the start and stop file via adb shell
150 allow shell bootchart_data_file:dir rw_dir_perms;
151 allow shell bootchart_data_file:file create_file_perms;
153 # Make sure strace works for the non-privileged shell user
154 allow shell self:process ptrace;
156 # allow shell to get battery info
157 allow shell sysfs:dir r_dir_perms;
158 allow shell sysfs_batteryinfo:dir r_dir_perms;
159 allow shell sysfs_batteryinfo:file r_file_perms;
161 # allow shell to list /sys/class/block/ to get storage type for CTS
162 allow shell sysfs_block:dir r_dir_perms;
165 allow shell ion_device:chr_file rw_file_perms;
171 allow shell dev_type:dir r_dir_perms;
172 allow shell dev_type:chr_file getattr;
175 allow shell proc:lnk_file getattr;
181 allow shell dev_type:blk_file getattr;
184 allow shell file_contexts_file:file r_file_perms;
185 allow shell property_contexts_file:file r_file_perms;
186 allow shell seapp_contexts_file:file r_file_perms;
187 allow shell service_contexts_file:file r_file_perms;
188 allow shell sepolicy_file:file r_file_perms;
190 # Allow shell to start up vendor shell
191 allow shell vendor_shell_exec:file rx_file_perms;
193 # Everything is labeled as rootfs in recovery mode. Allow shell to
196   allow shell rootfs:file rx_file_perms;
203 # Do not allow shell to hard link to any files.
204 # In particular, if shell hard links to app data
207 # bugs, so we want to ensure the shell user never has this
209 neverallow shell file_type:file link;
212 neverallowxperm shell domain:{ rawip_socket tcp_socket udp_socket } ioctl priv_sock_ioctls;
214 # limit shell access to sensitive char drivers to
216 neverallow shell {
222 # Limit shell to only getattr on blk devices for host side tests.
223 neverallow shell dev_type:blk_file ~getattr;
226 # vector. The shell user can inject events that look like they
230 # their stress tests, and the input command (adb shell input ...) for
232 neverallow shell input_device:chr_file no_w_file_perms;