SELinux policy that separates "init_shell" from "shell".

"init_shell" is used for shell processes spawned by init.

Change-Id: I9e35d485bac91f3d0e4f3704acdbb9af7d617173

2 files changed, 15 insertions, 1 deletions

diff --git a/init_shell.te b/init_shell.te
new file mode 100644
index 0000000..a2f6a3c
--- /dev/null
+++ b/init_shell.te
@@ -0,0 +1,14 @@
+# Restricted domain for shell processes spawned by init
+type init_shell, domain, mlstrustedsubject;
+domain_auto_trans(init, shell_exec, init_shell)
+allow init_shell rootfs:dir r_dir_perms;
+allow init_shell devpts:chr_file rw_file_perms;
+allow init_shell tty_device:chr_file rw_file_perms;
+allow init_shell console_device:chr_file rw_file_perms;
+allow init_shell input_device:chr_file rw_file_perms;
+allow init_shell system_file:file x_file_perms;
+allow init_shell shell_exec:file rx_file_perms;
+allow init_shell zygote_exec:file rx_file_perms;
+
+# setprop toolbox command
+unix_socket_connect(init_shell, property, init)
diff --git a/shell.te b/shell.te
index acf123b..7870207 100644
--- a/shell.te
+++ b/shell.te
@@ -1,6 +1,6 @@
+# Domain for shell processes spawned by ADB
 type shell, domain, mlstrustedsubject;
 type shell_exec, file_type;
-domain_auto_trans(init, shell_exec, shell)
 allow shell rootfs:dir r_dir_perms;
 allow shell devpts:chr_file rw_file_perms;
 allow shell tty_device:chr_file rw_file_perms;