Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 116a20fdb6d9033e82e0c2fd421e054cfbc8c3b3 / . / su.te
blob: 1317fb2a2ec78301adaf5ae1545701a010c45d77 [file] [log] [blame]
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]1# File types must be defined for file_contexts.
Stephen Smalley01301542013-09-27 10:38:14 -0400[diff] [blame]2type su_exec, exec_type, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]3
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]4userdebug_or_eng(`
5 type su, domain;
6 domain_auto_trans(shell, su_exec, su)
Nick Kralevich09e6abd2013-12-13 22:19:45 -0800[diff] [blame]7
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]8 # Allow dumpstate to call su on userdebug / eng builds to collect
9 # additional information.
10 domain_auto_trans(dumpstate, su_exec, su)
Stephen Smalleyd99e6d52013-12-02 14:18:11 -0500[diff] [blame]11
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]12 # su is unconfined.
13 unconfined_domain(su)
14
Nick Kralevich7d0f9552014-01-18 18:07:06 -0800[diff] [blame]15 allow su ashmem_device:chr_file execute;
16 allow su self:process execmem;
17 tmpfs_domain(su)
18 allow su su_tmpfs:file execute;
Nick Kralevich116a20f2014-02-05 16:36:25 -0800[diff] [blame^]19 allow su debuggerd_prop:property_service set;
Nick Kralevich7d0f9552014-01-18 18:07:06 -0800[diff] [blame]20
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]21 # su is also permissive to permit setenforce.
22 permissive su;
23')