1*e4a36f41SAndroid Build Coastguard Workertypeattribute shell coredomain; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Worker# allow shell input injection 4*e4a36f41SAndroid Build Coastguard Workerallow shell uhid_device:chr_file rw_file_perms; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Worker# systrace support - allow atrace to run 7*e4a36f41SAndroid Build Coastguard Workerallow shell debugfs_tracing_debug:dir r_dir_perms; 8*e4a36f41SAndroid Build Coastguard Workerallow shell debugfs_tracing:dir r_dir_perms; 9*e4a36f41SAndroid Build Coastguard Workerallow shell debugfs_tracing:file rw_file_perms; 10*e4a36f41SAndroid Build Coastguard Workerallow shell debugfs_trace_marker:file getattr; 11*e4a36f41SAndroid Build Coastguard Workerallow shell atrace_exec:file rx_file_perms; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Workeruserdebug_or_eng(` 14*e4a36f41SAndroid Build Coastguard Worker allow shell debugfs_tracing_debug:file rw_file_perms; 15*e4a36f41SAndroid Build Coastguard Worker') 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Worker# read config.gz for CTS purposes 18*e4a36f41SAndroid Build Coastguard Workerallow shell config_gz:file r_file_perms; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker# Run app_process. 21*e4a36f41SAndroid Build Coastguard Worker# XXX Transition into its own domain? 22*e4a36f41SAndroid Build Coastguard Workerapp_domain(shell) 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker# allow shell to call dumpsys storaged 25*e4a36f41SAndroid Build Coastguard Workerbinder_call(shell, storaged) 26*e4a36f41SAndroid Build Coastguard Worker 27*e4a36f41SAndroid Build Coastguard Worker# Perform SELinux access checks, needed for CTS 28*e4a36f41SAndroid Build Coastguard Workerselinux_check_access(shell) 29*e4a36f41SAndroid Build Coastguard Workerselinux_check_context(shell) 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker# Control Perfetto traced and obtain traces from it. 32*e4a36f41SAndroid Build Coastguard Worker# Needed for Studio and debugging. 33*e4a36f41SAndroid Build Coastguard Workerunix_socket_connect(shell, traced_consumer, traced) 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Allow shell binaries to write trace data to Perfetto. Used for testing and 36*e4a36f41SAndroid Build Coastguard Worker# cmdline utils. 37*e4a36f41SAndroid Build Coastguard Workerperfetto_producer(shell) 38*e4a36f41SAndroid Build Coastguard Worker 39*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(shell, vendor_shell_exec, vendor_shell) 40*e4a36f41SAndroid Build Coastguard Worker 41*e4a36f41SAndroid Build Coastguard Worker# Allow shell binaries to exec the perfetto cmdline util and have that 42*e4a36f41SAndroid Build Coastguard Worker# transition into its own domain, so that it behaves consistently to 43*e4a36f41SAndroid Build Coastguard Worker# when exec()-d by statsd. 44*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(shell, perfetto_exec, perfetto) 45*e4a36f41SAndroid Build Coastguard Worker# Allow to send SIGINT to perfetto when daemonized. 46*e4a36f41SAndroid Build Coastguard Workerallow shell perfetto:process signal; 47*e4a36f41SAndroid Build Coastguard Worker 48*e4a36f41SAndroid Build Coastguard Worker# Allow shell to run adb shell cmd stats commands. Needed for CTS. 49*e4a36f41SAndroid Build Coastguard Workerbinder_call(shell, statsd); 50*e4a36f41SAndroid Build Coastguard Worker 51*e4a36f41SAndroid Build Coastguard Worker# Allow shell to read and unlink traces stored in /data/misc/perfetto-traces. 52*e4a36f41SAndroid Build Coastguard Workerallow shell perfetto_traces_data_file:dir rw_dir_perms; 53*e4a36f41SAndroid Build Coastguard Workerallow shell perfetto_traces_data_file:file { r_file_perms unlink }; 54*e4a36f41SAndroid Build Coastguard Worker 55*e4a36f41SAndroid Build Coastguard Worker# Allow shell to run adb shell cmd gpu commands. 56*e4a36f41SAndroid Build Coastguard Workerbinder_call(shell, gpuservice); 57*e4a36f41SAndroid Build Coastguard Worker 58*e4a36f41SAndroid Build Coastguard Worker# Allow shell to use atrace HAL 59*e4a36f41SAndroid Build Coastguard Workerhal_client_domain(shell, hal_atrace) 60*e4a36f41SAndroid Build Coastguard Worker 61*e4a36f41SAndroid Build Coastguard Worker# For hostside tests such as CTS listening ports test. 62*e4a36f41SAndroid Build Coastguard Workerallow shell proc_net_tcp_udp:file r_file_perms; 63*e4a36f41SAndroid Build Coastguard Worker 64*e4a36f41SAndroid Build Coastguard Worker# The dl.exec_linker* tests need to execute /system/bin/linker 65*e4a36f41SAndroid Build Coastguard Worker# b/124789393 66*e4a36f41SAndroid Build Coastguard Workerallow shell system_linker_exec:file rx_file_perms; 67*e4a36f41SAndroid Build Coastguard Worker 68*e4a36f41SAndroid Build Coastguard Worker# Renderscript host side tests depend on being able to execute 69*e4a36f41SAndroid Build Coastguard Worker# /system/bin/bcc (b/126388046) 70*e4a36f41SAndroid Build Coastguard Workerallow shell rs_exec:file rx_file_perms; 71*e4a36f41SAndroid Build Coastguard Worker 72*e4a36f41SAndroid Build Coastguard Worker# Allow shell to start and comminicate with lpdumpd. 73*e4a36f41SAndroid Build Coastguard Workerset_prop(shell, lpdumpd_prop); 74*e4a36f41SAndroid Build Coastguard Workerbinder_call(shell, lpdumpd) 75*e4a36f41SAndroid Build Coastguard Worker 76*e4a36f41SAndroid Build Coastguard Worker# Allow shell to set and read value of properties used for CTS tests of 77*e4a36f41SAndroid Build Coastguard Worker# userspace reboot 78*e4a36f41SAndroid Build Coastguard Workerset_prop(shell, userspace_reboot_test_prop) 79*e4a36f41SAndroid Build Coastguard Worker 80*e4a36f41SAndroid Build Coastguard Worker# Allow shell to get encryption policy of /data/local/tmp/, for CTS 81*e4a36f41SAndroid Build Coastguard Workerallowxperm shell shell_data_file:dir ioctl { 82*e4a36f41SAndroid Build Coastguard Worker FS_IOC_GET_ENCRYPTION_POLICY 83*e4a36f41SAndroid Build Coastguard Worker FS_IOC_GET_ENCRYPTION_POLICY_EX 84*e4a36f41SAndroid Build Coastguard Worker}; 85*e4a36f41SAndroid Build Coastguard Worker 86*e4a36f41SAndroid Build Coastguard Worker# Allow shell to execute simpleperf without a domain transition. 87*e4a36f41SAndroid Build Coastguard Workerallow shell simpleperf_exec:file rx_file_perms; 88*e4a36f41SAndroid Build Coastguard Worker 89*e4a36f41SAndroid Build Coastguard Worker# Allow shell to call perf_event_open for profiling other shell processes, but 90*e4a36f41SAndroid Build Coastguard Worker# not the whole system. 91*e4a36f41SAndroid Build Coastguard Workerallow shell self:perf_event { open read write kernel }; 92*e4a36f41SAndroid Build Coastguard Workerneverallow shell self:perf_event ~{ open read write kernel }; 93*e4a36f41SAndroid Build Coastguard Worker 94*e4a36f41SAndroid Build Coastguard Worker# Allow to read graphics related properties. 95*e4a36f41SAndroid Build Coastguard Workerget_prop(shell, graphics_config_prop) 96