commit 938ab05d729aa83abfe16e933ca70e0dee4c22ae
author Tom Cherry <tomcherry@google.com> Fri Aug 03 10:49:20 2018 -0700
committer Tom Cherry <tomcherry@google.com> Fri Aug 03 19:41:03 2018 +0000
tree f8e2ca62f9c2177d51a2c53fd353b2472eb7e654
parent d840374e654881fbd633acc68b827244d2a28768

Allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng

This is do aid developers pushing debug services to not need to modify
the underlying SEPolicy

avc: denied { transition } for comm="init" path="/system/bin/awk"
dev="dm-0" ino=1934 scontext=u:r:init:s0 tcontext=u:r:su:s0
tclass=process
avc: denied { rlimitinh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { siginh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { noatsecure } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process

Test: init can execute a system_file marked with seclabel u:r:su:s0
Change-Id: I85d9528341fe08dbb2fb9a91e34a41f41aa093be

private/init.te

diff --git a/private/init.te b/private/init.te
index 4cf6922..02686a3 100644
--- a/private/init.te
+++ b/private/init.te
@@ -15,7 +15,12 @@
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, vendor_init)
 domain_trans(init, { rootfs toolbox_exec }, modprobe)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
+  # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
   domain_auto_trans(init, logcat_exec, logpersist)
+
+  # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
+  allow init su:process transition;
+  dontaudit init su:process noatsecure;
+  allow init su:process { siginh rlimitinh };
 ')