Confine shell domain in -user builds only.

Confine the domain for an adb shell in -user builds only. The shell domain in non-user builds is left permissive. init_shell (shell spawned by init, e.g. console service) remains unconfined by this change. Introduce a shelldomain attribute for rules common to all shell domains, assign it to the shell types, and add shelldomain.te for its rules. Change-Id: I01ee2c7ef80b61a9db151abe182ef9af7623c461 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
author: Stephen Smalley <sds@tycho.nsa.gov> 2013-10-23 13:25:53 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-18 09:37:52 -0500
commit: 712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2 (patch)
tree: 5ee8c7697924b1d8d832ea0cec05464eaf9f5303 /attributes
parent: 09e6abd91b3aaaa11a44d032e095360c64a97b3a (diff)
download: android_external_sepolicy-712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2.tar.gz
android_external_sepolicy-712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2.tar.bz2
android_external_sepolicy-712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2.zip
1 files changed, 3 insertions, 0 deletions
diff --git a/attributes b/attributes
index 6123d6c..bbc3d92 100644
--- a/attributes
+++ b/attributes
@@ -50,6 +50,9 @@ attribute mlstrustedobject;
 # Domains that are allowed all permissions ("unconfined").
 attribute unconfineddomain;
 
+# All domains used for shells.
+attribute shelldomain;
+
 # All domains used for apps.
 attribute appdomain;
author	Stephen Smalley <sds@tycho.nsa.gov>	2013-10-23 13:25:53 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	2013-12-18 09:37:52 -0500
commit	712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2 (patch)
tree	5ee8c7697924b1d8d832ea0cec05464eaf9f5303 /attributes
parent	09e6abd91b3aaaa11a44d032e095360c64a97b3a (diff)
download	android_external_sepolicy-712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2.tar.gz android_external_sepolicy-712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2.tar.bz2 android_external_sepolicy-712ca0a4d5c3ff77179da2544aafd6eb8e5a70c2.zip