Support running adbd in the su domain.
When adbd runs as root, it transitions into the
su domain. Add the various rules to support this.
This is needed to run the adbd and shell domains in
enforcing on userdebug / eng devices without breaking
developer workflows.
Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
diff --git a/adbd.te b/adbd.te
index a92d505..8614819 100644
--- a/adbd.te
+++ b/adbd.te
@@ -4,6 +4,7 @@
userdebug_or_eng(`
permissive adbd;
+ allow adbd su:process dyntransition;
')
domain_auto_trans(adbd, shell_exec, shell)
diff --git a/domain.te b/domain.te
index c8063f7..b13ad75 100644
--- a/domain.te
+++ b/domain.te
@@ -28,6 +28,20 @@
allow domain adbd:fd use;
allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
+userdebug_or_eng(`
+ # Same as adbd rules above, except allow su to do the same thing
+ allow domain su:unix_stream_socket connectto;
+ allow domain su:fd use;
+ allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+
+ # Running something like "pm dump com.android.bluetooth" requires
+ # fifo writes
+ allow domain su:fifo_file { write getattr };
+
+ # allow "gdbserver --attach" to work for su.
+ allow domain su:process sigchld;
+')
+
###
### Talk to debuggerd.
###
diff --git a/su.te b/su.te
index b4b9f6d..7b6899a 100644
--- a/su.te
+++ b/su.te
@@ -12,6 +12,11 @@
# su is unconfined.
unconfined_domain(su)
+ allow su ashmem_device:chr_file execute;
+ allow su self:process execmem;
+ tmpfs_domain(su)
+ allow su su_tmpfs:file execute;
+
# su is also permissive to permit setenforce.
permissive su;
')