From 00ab5d86beef4a70b8ed32240587af08002e56d8 Mon Sep 17 00:00:00 2001
From: Yifan Hong <elsk@google.com>
Date: Thu, 11 Jan 2018 11:01:30 -0800
Subject: [PATCH] Allow shell to start vendor shell

Test: adb shell /vendor/bin/sh
Fixes: 65448858
Change-Id: Ic2c9fa9b7e5bed3e1532f4e545f54a857ea99fc6
---
 private/compat/26.0/26.0.ignore.cil |  1 +
 private/shell.te                    |  2 ++
 public/domain.te                    |  1 +
 public/shell.te                     |  3 +++
 public/vendor_shell.te              | 21 ++++++++++++++++++---
 5 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/private/compat/26.0/26.0.ignore.cil b/private/compat/26.0/26.0.ignore.cil
index 1d3e27bd4..ca7f1fa41 100644
--- a/private/compat/26.0/26.0.ignore.cil
+++ b/private/compat/26.0/26.0.ignore.cil
@@ -84,6 +84,7 @@
     update_engine_log_data_file
     vendor_default_prop
     vendor_init
+    vendor_shell
     vold_prepare_subdirs
     vold_prepare_subdirs_exec
     vold_service
diff --git a/private/shell.te b/private/shell.te
index a3c49db37..ded9d1f94 100644
--- a/private/shell.te
+++ b/private/shell.te
@@ -36,3 +36,5 @@ unix_socket_connect(shell, traced_consumer, traced)
 allow shell traced:fd use;
 allow shell traced_tmpfs:file { read write getattr map };
 unix_socket_connect(shell, traced_producer, traced)
+
+domain_auto_trans(shell, vendor_shell_exec, vendor_shell)
diff --git a/public/domain.te b/public/domain.te
index e64b64464..2222b88e2 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -874,6 +874,7 @@ full_treble_only(`
         coredomain
         -init
         -vendor_init
+        -shell
     } vendor_shell_exec:file { execute execute_no_trans };
 
     # Do not allow vendor components to execute files from system
diff --git a/public/shell.te b/public/shell.te
index 916af1c75..496d4720f 100644
--- a/public/shell.te
+++ b/public/shell.te
@@ -185,6 +185,9 @@ allow shell seapp_contexts_file:file r_file_perms;
 allow shell service_contexts_file:file r_file_perms;
 allow shell sepolicy_file:file r_file_perms;
 
+# Allow shell to start up vendor shell
+allow shell vendor_shell_exec:file rx_file_perms;
+
 ###
 ### Neverallow rules
 ###
diff --git a/public/vendor_shell.te b/public/vendor_shell.te
index b33054290..7d30acba4 100644
--- a/public/vendor_shell.te
+++ b/public/vendor_shell.te
@@ -1,4 +1,19 @@
-# vendor shell MUST never run as interactive or login shell.
-# vendor shell CAN never be traisitioned to by any process, so it is
-# only intended by shell script interpreter.
+type vendor_shell, domain;
 type vendor_shell_exec, exec_type, vendor_file_type, file_type;
+
+allow vendor_shell vendor_shell_exec:file rx_file_perms;
+allow vendor_shell vendor_toolbox_exec:file rx_file_perms;
+
+# Use fd from shell when vendor_shell is started from shell
+allow vendor_shell shell:fd use;
+
+# adbd: allow `adb shell /vendor/bin/sh` and `adb shell` then `/vendor/bin/sh`
+allow vendor_shell adbd:fd use;
+allow vendor_shell adbd:process sigchld;
+allow vendor_shell adbd:unix_stream_socket { getattr ioctl read write };
+
+allow vendor_shell devpts:chr_file rw_file_perms;
+allow vendor_shell tty_device:chr_file rw_file_perms;
+allow vendor_shell console_device:chr_file rw_file_perms;
+allow vendor_shell input_device:dir r_dir_perms;
+allow vendor_shell input_device:chr_file rw_file_perms;
-- 
GitLab