Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / bc320187b912c6c00fedde1fc3f89f74924f06bd / . / su.te
blob: c17fd0bf437c074b7c0c456c01c7c115b2cd0ac8 [file] [log] [blame]
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]1# File types must be defined for file_contexts.
Stephen Smalley01301542013-09-27 10:38:14 -0400[diff] [blame]2type su_exec, exec_type, file_type;
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]3
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]4userdebug_or_eng(`
Stephen Smalleyb3cb9692014-02-21 13:45:29 -0500[diff] [blame]5 # Domain used for su processes, as well as for adbd and adb shell
6 # after performing an adb root command. The domain definition is
7 # wrapped to ensure that it does not exist at all on -user builds.
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]8 type su, domain;
9 domain_auto_trans(shell, su_exec, su)
Nick Kralevich09e6abd2013-12-13 22:19:45 -0800[diff] [blame]10
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]11 # Allow dumpstate to call su on userdebug / eng builds to collect
12 # additional information.
13 domain_auto_trans(dumpstate, su_exec, su)
Stephen Smalleyd99e6d52013-12-02 14:18:11 -0500[diff] [blame]14
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]15 # su is unconfined.
16 unconfined_domain(su)
17
Nick Kralevich7d0f9552014-01-18 18:07:06 -0800[diff] [blame]18 allow su ashmem_device:chr_file execute;
19 allow su self:process execmem;
20 tmpfs_domain(su)
21 allow su su_tmpfs:file execute;
Nick Kralevich116a20f2014-02-05 16:36:25 -0800[diff] [blame]22 allow su debuggerd_prop:property_service set;
Nick Kralevich7d0f9552014-01-18 18:07:06 -0800[diff] [blame]23
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]24 # su is also permissive to permit setenforce.
25 permissive su;
Sreeram Ramachandranbc320182014-05-02 14:50:26 -0700[diff] [blame^]26
27 # Make su a net domain.
28 net_domain(su)
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]29')