Refactor the shell domains.

Originally we used the shell domain for ADB shell only and
the init_shell domain for the console service, both transitioned
via automatic domain transitions on sh.  So they originally
shared a common set of rules.  Then init_shell started to be used
for sh commands invoked by init.<board>.rc files, and we switched
the console service to just use the shell domain via seclabel entry
in init.rc.  Even most of the sh command instances in init.<board>.rc
files have been converted to use explicit seclabel options with
more specific domains (one lingering use is touch_fw_update service
in init.grouper.rc).  The primary purpose of init_shell at this point
is just to shed certain permissions from the init domain when init invokes
a shell command.  And init_shell and shell are quite different in
their permission requirements since the former is used now for
uid-0 processes spawned by init whereas the latter is used for
uid-shell processes spawned by adb or init.

Given these differences, drop the shelldomain attribute and take those
rules directly into shell.te.  init_shell was an unconfined_domain(),
so it loses nothing from this change.  Also switch init_shell to
permissive_or_unconfined() so that we can see its actual denials
in the future in userdebug/eng builds.

Change-Id: I6e7e45724d1aa3a6bcce8df676857bc8eef568f0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

app.te

@@ -316,7 +316,7 @@ neverallow { appdomain -unconfineddomain }
 # Access to syslog(2) or /proc/kmsg.
 neverallow { appdomain -system_app }
     kernel:system { syslog_mod syslog_console };
-neverallow { appdomain -system_app -shelldomain }
+neverallow { appdomain -system_app -shell }
     kernel:system syslog_read;
 
 # Ability to perform any filesystem operation other than statfs(2).

attributes

@@ -50,9 +50,6 @@ attribute mlstrustedobject;
 # Domains that are allowed all permissions ("unconfined").
 attribute unconfineddomain;
 
-# All domains used for shells.
-attribute shelldomain;
-
 # All domains used for apps.
 attribute appdomain;
 

domain.te

@@ -248,7 +248,7 @@ neverallow {
     domain
     -appdomain
     -dumpstate
-    -shelldomain
+    -shell
     userdebug_or_eng(`-su')
     -system_server
     -zygote

init_shell.te

 # Restricted domain for shell processes spawned by init.
 # Normally these are shell commands or scripts invoked via sh
 # from an init*.rc file.  No service should ever run in this domain.
-type init_shell, domain, shelldomain;
+type init_shell, domain;
 domain_auto_trans(init, shell_exec, init_shell)
-unconfined_domain(init_shell)
-
-# inherits from shelldomain.te
+permissive_or_unconfined(init_shell)

shell.te

 # Domain for shell processes spawned by ADB or console service.
-type shell, domain, shelldomain, mlstrustedsubject;
+type shell, domain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;
 
 # Create and use network sockets.
@@ -17,4 +17,38 @@ control_logd(shell)
 allow shell anr_data_file:dir r_dir_perms;
 allow shell anr_data_file:file r_file_perms;
 
-# inherits from shelldomain.te
+# Access /data/local/tmp.
+allow shell shell_data_file:dir create_dir_perms;
+allow shell shell_data_file:file create_file_perms;
+allow shell shell_data_file:file rx_file_perms;
+
+# adb bugreport
+unix_socket_connect(shell, dumpstate, dumpstate)
+
+allow shell rootfs:dir r_dir_perms;
+allow shell devpts:chr_file rw_file_perms;
+allow shell tty_device:chr_file rw_file_perms;
+allow shell console_device:chr_file rw_file_perms;
+allow shell input_device:chr_file rw_file_perms;
+allow shell system_file:file x_file_perms;
+allow shell shell_exec:file rx_file_perms;
+allow shell zygote_exec:file rx_file_perms;
+
+r_dir_file(shell, apk_data_file)
+
+# Set properties.
+unix_socket_connect(shell, property, init)
+allow shell shell_prop:property_service set;
+allow shell ctl_dumpstate_prop:property_service set;
+allow shell debug_prop:property_service set;
+allow shell powerctl_prop:property_service set;
+
+# systrace support - allow atrace to run
+# debugfs doesn't support labeling individual files, so we have
+# to grant read access to all of /sys/kernel/debug.
+# Directory read access and file write access is already granted
+# in domain.te.
+allow shell debugfs:file r_file_perms;
+
+# allow shell to run dmesg
+allow shell kernel:system syslog_read;

shelldomain.te

-# Rules for all shell domains (e.g. console service and adb shell).
-
-# Access /data/local/tmp.
-allow shelldomain shell_data_file:dir create_dir_perms;
-allow shelldomain shell_data_file:file create_file_perms;
-allow shelldomain shell_data_file:file rx_file_perms;
-
-# adb bugreport
-unix_socket_connect(shelldomain, dumpstate, dumpstate)
-
-allow shelldomain rootfs:dir r_dir_perms;
-allow shelldomain devpts:chr_file rw_file_perms;
-allow shelldomain tty_device:chr_file rw_file_perms;
-allow shelldomain console_device:chr_file rw_file_perms;
-allow shelldomain input_device:chr_file rw_file_perms;
-allow shelldomain system_file:file x_file_perms;
-allow shelldomain shell_exec:file rx_file_perms;
-allow shelldomain zygote_exec:file rx_file_perms;
-
-r_dir_file(shelldomain, apk_data_file)
-
-# Set properties.
-unix_socket_connect(shelldomain, property, init)
-allow shelldomain shell_prop:property_service set;
-allow shelldomain ctl_dumpstate_prop:property_service set;
-allow shelldomain debug_prop:property_service set;
-allow shelldomain powerctl_prop:property_service set;
-
-# systrace support - allow atrace to run
-# debugfs doesn't support labeling individual files, so we have
-# to grant read access to all of /sys/kernel/debug.
-# Directory read access and file write access is already granted
-# in domain.te.
-allow shelldomain debugfs:file r_file_perms;
-
-# allow shell to run dmesg
-allow shelldomain kernel:system syslog_read;