Blame - su.te - android_system_sepolicy

blob: dab52103ccd67c2ef78bca334a54a7a9ef136335 [file] [log] [blame]

Nick Kralevich	88ce951	2014-01-09 15:25:36 -0800	[diff] [blame]	1	# File types must be defined for file_contexts.
Stephen Smalley	0130154	2013-09-27 10:38:14 -0400	[diff] [blame]	2	type su_exec, exec_type, file_type;
Stephen Smalley	2dd4e51	2012-01-04 12:33:27 -0500	[diff] [blame]	3
Nick Kralevich	88ce951	2014-01-09 15:25:36 -0800	[diff] [blame]	4	userdebug_or_eng(`
Stephen Smalley	b3cb969	2014-02-21 13:45:29 -0500	[diff] [blame]	5	# Domain used for su processes, as well as for adbd and adb shell
				6	# after performing an adb root command. The domain definition is
				7	# wrapped to ensure that it does not exist at all on -user builds.
Nick Kralevich	b54f92b	2014-09-22 17:44:00 -0700	[diff] [blame]	8	type su, domain, mlstrustedsubject;
Nick Kralevich	88ce951	2014-01-09 15:25:36 -0800	[diff] [blame]	9	domain_auto_trans(shell, su_exec, su)
Nick Kralevich	09e6abd	2013-12-13 22:19:45 -0800	[diff] [blame]	10
Nick Kralevich	88ce951	2014-01-09 15:25:36 -0800	[diff] [blame]	11	# Allow dumpstate to call su on userdebug / eng builds to collect
				12	# additional information.
				13	domain_auto_trans(dumpstate, su_exec, su)
Stephen Smalley	d99e6d5	2013-12-02 14:18:11 -0500	[diff] [blame]	14
Christopher Ferris	5ec38c4	2015-01-29 12:11:55 -0800	[diff] [blame^]	15	# Make sure that dumpstate runs the same from the "su" domain as
				16	# from the "init" domain.
				17	domain_auto_trans(su, dumpstate_exec, dumpstate)
				18
Nick Kralevich	88ce951	2014-01-09 15:25:36 -0800	[diff] [blame]	19	# su is also permissive to permit setenforce.
				20	permissive su;
Sreeram Ramachandran	bc32018	2014-05-02 14:50:26 -0700	[diff] [blame]	21
Nick Kralevich	213bb45	2014-07-12 12:46:58 -0700	[diff] [blame]	22	# Add su to various domains
Sreeram Ramachandran	bc32018	2014-05-02 14:50:26 -0700	[diff] [blame]	23	net_domain(su)
Nick Kralevich	213bb45	2014-07-12 12:46:58 -0700	[diff] [blame]	24	app_domain(su)
Nick Kralevich	af7deff	2014-05-27 15:46:39 -0700	[diff] [blame]	25
				26	dontaudit su self:capability_class_set *;
				27	dontaudit su kernel:security *;
				28	dontaudit su kernel:system *;
				29	dontaudit su self:memprotect *;
				30	dontaudit su domain:process *;
				31	dontaudit su domain:fd *;
				32	dontaudit su domain:dir *;
				33	dontaudit su domain:lnk_file *;
				34	dontaudit su domain:{ fifo_file file } *;
				35	dontaudit su domain:socket_class_set *;
				36	dontaudit su domain:ipc_class_set *;
				37	dontaudit su domain:key *;
				38	dontaudit su fs_type:filesystem *;
				39	dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
				40	dontaudit su node_type:node *;
				41	dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
				42	dontaudit su netif_type:netif *;
				43	dontaudit su port_type:socket_class_set *;
				44	dontaudit su port_type:{ tcp_socket dccp_socket } *;
				45	dontaudit su domain:peer *;
				46	dontaudit su domain:binder *;
				47	dontaudit su property_type:property_service *;
Nick Kralevich	bf254b4	2015-01-06 12:50:19 -0800	[diff] [blame]	48	dontaudit su service_manager_type:service_manager *;
				49	dontaudit su keystore:keystore_key *;
				50	dontaudit su domain:debuggerd *;
				51	dontaudit su domain:drmservice *;
Nick Kralevich	88ce951	2014-01-09 15:25:36 -0800	[diff] [blame]	52	')