From 714ee5f293042986791ce653900a3eb308e6788a Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Fri, 20 Oct 2017 09:58:08 -0700
Subject: [PATCH] Ensure only com.android.shell can run in the shell domain.

Don't allow apps to run with uid=shell or selinux domain=shell unless
the package is com.android.shell.

Add a neverallow assertion (compile time assertion + CTS test) to ensure
no regressions.

Bug: 68032516
Test: policy compiles, device boots, and no obvious problems.
Change-Id: Ic6600fa5608bfbdd41ff53840d904f97d17d6731
---
 private/seapp_contexts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/private/seapp_contexts b/private/seapp_contexts
index dc7e3893b..1f451be50 100644
--- a/private/seapp_contexts
+++ b/private/seapp_contexts
@@ -91,6 +91,10 @@ neverallow user=((?!_isolated).)* domain=isolated_app
 # uid's can be in shell domain
 neverallow user=shell domain=((?!shell).)*
 
+# only the package named com.android.shell can run in the shell domain
+neverallow domain=shell name=((?!com\.android\.shell).)*
+neverallow user=shell name=((?!com\.android\.shell).)*
+
 # Ephemeral Apps must run in the ephemeral_app domain
 neverallow isEphemeralApp=true domain=((?!ephemeral_app).)*
 
@@ -100,7 +104,7 @@ user=bluetooth seinfo=platform domain=bluetooth type=bluetooth_data_file
 user=nfc seinfo=platform domain=nfc type=nfc_data_file
 user=radio seinfo=platform domain=radio type=radio_data_file
 user=shared_relro domain=shared_relro
-user=shell seinfo=platform domain=shell type=shell_data_file
+user=shell seinfo=platform domain=shell name=com.android.shell type=shell_data_file
 user=_isolated domain=isolated_app levelFrom=user
 user=_app seinfo=media domain=mediaprovider name=android.process.media type=app_data_file levelFrom=user
 user=_app seinfo=platform domain=platform_app type=app_data_file levelFrom=user
-- 
GitLab