| Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 1 | # File types must be defined for file_contexts. |
| Stephen Smalley | 0130154 | 2013-09-27 10:38:14 -0400 | [diff] [blame] | 2 | type su_exec, exec_type, file_type; |
| Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 3 | |
| Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 4 | userdebug_or_eng(` |
| Stephen Smalley | b3cb969 | 2014-02-21 13:45:29 -0500 | [diff] [blame^] | 5 | # Domain used for su processes, as well as for adbd and adb shell |
| 6 | # after performing an adb root command. The domain definition is |
| 7 | # wrapped to ensure that it does not exist at all on -user builds. |
| Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 8 | type su, domain; |
| 9 | domain_auto_trans(shell, su_exec, su) |
| Nick Kralevich | 09e6abd | 2013-12-13 22:19:45 -0800 | [diff] [blame] | 10 | |
| Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 11 | # Allow dumpstate to call su on userdebug / eng builds to collect |
| 12 | # additional information. |
| 13 | domain_auto_trans(dumpstate, su_exec, su) |
| Stephen Smalley | d99e6d5 | 2013-12-02 14:18:11 -0500 | [diff] [blame] | 14 | |
| Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 15 | # su is unconfined. |
| 16 | unconfined_domain(su) |
| 17 | |
| Nick Kralevich | 7d0f955 | 2014-01-18 18:07:06 -0800 | [diff] [blame] | 18 | allow su ashmem_device:chr_file execute; |
| 19 | allow su self:process execmem; |
| 20 | tmpfs_domain(su) |
| 21 | allow su su_tmpfs:file execute; |
| Nick Kralevich | 116a20f | 2014-02-05 16:36:25 -0800 | [diff] [blame] | 22 | allow su debuggerd_prop:property_service set; |
| Nick Kralevich | 7d0f955 | 2014-01-18 18:07:06 -0800 | [diff] [blame] | 23 | |
| Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 24 | # su is also permissive to permit setenforce. |
| 25 | permissive su; |
| 26 | ') |