Remove domain_deprecated from adbd and shell

am: 8ca19368 * commit '8ca19368': Remove domain_deprecated from adbd and shell

Remove domain_deprecated from adbd and shell
am: 8ca19368 * commit '8ca19368': Remove domain_deprecated from adbd and shell
78d03007 · Nick Kralevich · android-build-merger · eb59a815 · 8ca19368 · 78d03007
Commit 78d03007 authored 9 years ago by Nick Kralevich Committed by android-build-merger 9 years ago
--- a/adbd.te
+++ b/adbd.te
 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
-type adbd, domain, domain_deprecated, mlstrustedsubject;
+type adbd, domain, mlstrustedsubject;

 userdebug_or_eng(`
  allow adbd self:process setcurrent;

--- a/domain.te
+++ b/domain.te
@@ -88,6 +88,9 @@ allow domain system_file:dir { search getattr };
 allow domain system_file:file { execute read open getattr };
 allow domain system_file:lnk_file read;

+# libc references /data/misc/zoneinfo for timezone related information
+r_dir_file(domain, zoneinfo_data_file)
+
 # files under /data.
 allow domain system_data_file:dir { search getattr };
 allow domain system_data_file:lnk_file read;

--- a/domain_deprecated.te
+++ b/domain_deprecated.te
@@ -53,9 +53,6 @@ allow domain_deprecated cache_file:dir r_dir_perms;
 allow domain_deprecated cache_file:file { getattr read };
 allow domain_deprecated cache_file:lnk_file r_file_perms;

-# Read timezone related information
-r_dir_file(domain_deprecated, zoneinfo_data_file)
-
 # For /acct/uid/*/tasks.
 allow domain_deprecated cgroup:dir { search write };
 allow domain_deprecated cgroup:file w_file_perms;

--- a/shell.te
+++ b/shell.te
 # Domain for shell processes spawned by ADB or console service.
-type shell, domain, domain_deprecated, mlstrustedsubject;
+type shell, domain, mlstrustedsubject;
 type shell_exec, exec_type, file_type;

 # Create and use network sockets.
@@ -21,6 +21,10 @@ userdebug_or_eng(`
  allow shell misc_logd_file:file r_file_perms;
 ')

+# interact with adb
+allow shell adbd:fd use;
+allow shell adbd:unix_stream_socket { read write ioctl getattr };
+
 # read files in /data/anr
 allow shell anr_data_file:dir r_dir_perms;
 allow shell anr_data_file:file r_file_perms;
@@ -82,6 +86,8 @@ allow shell servicemanager:service_manager list;
 allow shell { service_manager_type -gatekeeper_service }:service_manager find;

 # allow shell to look through /proc/ for ps, top
+r_dir_file(shell, proc)
+r_dir_file(shell, cgroup)
 allow shell domain:dir { search open read getattr };
 allow shell domain:{ file lnk_file } { open read getattr };