Add microdroid specific sepolicy
Microdroid will have a separate sepolicy, apart from the core policy.
This is the first step; For now it's a simple copy of system/sepolicy.
For the future work, it will be stripped.
Bug: 189165759
Test: boot microdroid and see selinux enforced
Change-Id: I2fee39f7231560b49c93bd5e8d0feeffada40938
diff --git a/microdroid/sepolicy/system/private/su.te b/microdroid/sepolicy/system/private/su.te
new file mode 100644
index 0000000..587f449
--- /dev/null
+++ b/microdroid/sepolicy/system/private/su.te
@@ -0,0 +1,30 @@
+userdebug_or_eng(`
+ typeattribute su coredomain;
+
+ domain_auto_trans(shell, su_exec, su)
+ # Allow dumpstate to call su on userdebug / eng builds to collect
+ # additional information.
+ domain_auto_trans(dumpstate, su_exec, su)
+
+ # Make sure that dumpstate runs the same from the "su" domain as
+ # from the "init" domain.
+ domain_auto_trans(su, dumpstate_exec, dumpstate)
+
+ # Put the incident command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, incident_exec, incident)
+
+ # Put the odrefresh command into its domain.
+ domain_auto_trans(su, odrefresh_exec, odrefresh)
+
+ # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
+ domain_auto_trans(su, perfetto_exec, perfetto)
+
+ # su is also permissive to permit setenforce.
+ permissive su;
+
+ app_domain(su)
+
+ # Do not audit accesses to keystore2 namespace for the su domain.
+ dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
+
+')