Explicitly added permissions that were previously granted through
domain_deprecated.
BUG: 25965160
Change-Id: I586d082ef5fe49079cb0c4056f8e7b34fae48c03
diff --git a/shell.te b/shell.te
index a02fbd0..a8089d6 100644
--- a/shell.te
+++ b/shell.te
@@ -71,6 +71,7 @@
# Directory read access and file write access is already granted
# in domain.te.
allow shell debugfs:file r_file_perms;
+allow shell debugfs:dir search;
allow shell atrace_exec:file rx_file_perms;
userdebug_or_eng(`
@@ -113,3 +114,6 @@
# bugs, so we want to ensure the shell user never has this
# capability.
neverallow shell file_type:file link;
+
+# Allow access to ion memory allocation device.
+allow shell ion_device:chr_file { open read };