Adb root is supported in Microdroid on user builds
In Android, adb root is disabled at build-time by not compiling
sepolicies which allows adbd to run in the `su` domain.
However in Microdroid, adb root should be supported even on user builds
because fully-debuggable VMs can be started and adb root is expected
there. Note that adb root is still not supported in non-debuggable VMs
by not starting it at all.
This change removes `userdebug_or_end` conditions from the policies for
adb root. In addition, the `su` domain where adbd runs when rooted is
explicitly marked as a permissive domain allowed.
Bug: 259729287
Test: build a user variant, run fully debuggable microdroid VM. adb root
works there.
Test: run non-debuggable microdroid VM. adb shell (not even adb root)
doesn't work.
Change-Id: I8bb40b7472dcda6619a587e832e22d3cb290c6b9
diff --git a/microdroid/system/private/su.te b/microdroid/system/private/su.te
index 6b7c18c..533b328 100644
--- a/microdroid/system/private/su.te
+++ b/microdroid/system/private/su.te
@@ -1,7 +1,4 @@
-userdebug_or_eng(`
- typeattribute su coredomain;
+typeattribute su coredomain;
- # su is also permissive to permit setenforce.
- permissive su;
-
-')
+# su is also permissive to permit setenforce.
+permissive su;