commit 2e00e6373faa6271d7839d33c5b9e69d998ff020
author dcashman <dcashman@google.com> Wed Oct 12 14:58:09 2016 -0700
committer dcashman <dcashman@google.com> Tue Dec 06 08:56:02 2016 -0800
tree adc2e5997637f8eef6c51fc50663d0d1066b7cb8
parent fed665edcab272c8b6741fc3114da85754f13223

sepolicy: add version_policy tool and version non-platform policy.

In order to support platform changes without simultaneous updates from
non-platform components, the platform and non-platform policies must be
split.  In order to provide a guarantee that policy written for
non-platform objects continues to provide the same access, all types
exposed to non-platform policy are versioned by converting them and the
policy using them into attributes.

This change performs that split, the subsequent versioning and also
generates a mapping file to glue the different policy components
together.

Test: Device boots and runs.
Bug: 31369363
Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317

private/su.te

diff --git a/private/su.te b/private/su.te
index 5c98258..3dda00f 100644
--- a/private/su.te
+++ b/private/su.te
@@ -1,13 +1,5 @@
-# File types must be defined for file_contexts.
-type su_exec, exec_type, file_type;
-
 userdebug_or_eng(`
-  # Domain used for su processes, as well as for adbd and adb shell
-  # after performing an adb root command.  The domain definition is
-  # wrapped to ensure that it does not exist at all on -user builds.
-  type su, domain, mlstrustedsubject;
   domain_auto_trans(shell, su_exec, su)
-
   # Allow dumpstate to call su on userdebug / eng builds to collect
   # additional information.
   domain_auto_trans(dumpstate, su_exec, su)
@@ -16,41 +8,11 @@
   # from the "init" domain.
   domain_auto_trans(su, dumpstate_exec, dumpstate)
 
-  # su is also permissive to permit setenforce.
+# su is also permissive to permit setenforce.
   permissive su;
 
-  # Add su to various domains
-  net_domain(su)
-  app_domain(su)
-
-  dontaudit su self:capability_class_set *;
-  dontaudit su kernel:security *;
-  dontaudit su kernel:system *;
-  dontaudit su self:memprotect *;
-  dontaudit su domain:process *;
-  dontaudit su domain:fd *;
-  dontaudit su domain:dir *;
-  dontaudit su domain:lnk_file *;
-  dontaudit su domain:{ fifo_file file } *;
-  dontaudit su domain:socket_class_set *;
-  dontaudit su domain:ipc_class_set *;
-  dontaudit su domain:key *;
-  dontaudit su fs_type:filesystem *;
-  dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
-  dontaudit su node_type:node *;
-  dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
-  dontaudit su netif_type:netif *;
-  dontaudit su port_type:socket_class_set *;
-  dontaudit su port_type:{ tcp_socket dccp_socket } *;
-  dontaudit su domain:peer *;
-  dontaudit su domain:binder *;
-  dontaudit su property_type:property_service *;
-  dontaudit su property_type:file *;
-  dontaudit su service_manager_type:service_manager *;
-  dontaudit su servicemanager:service_manager list;
-  dontaudit su keystore:keystore_key *;
-  dontaudit su domain:debuggerd *;
-  dontaudit su domain:drmservice *;
-  dontaudit su unlabeled:filesystem *;
-  dontaudit su postinstall_file:filesystem *;
+  # app_domain fallout
+  tmpfs_domain(su)
+  # Map with PROT_EXEC.
+  allow su su_tmpfs:file execute;
 ')