Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / d3451f88bead7e9c2fd9c9df01f76b379532242f / . / private / su.te
blob: 072e8db79404d6914d11a92757d56b26412b6e0b [file] [log] [blame]
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]1userdebug_or_eng(`
Alex Klyubin6b558dc2017-03-24 09:30:19 -0700[diff] [blame]2 typeattribute su coredomain;
3
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]4 domain_auto_trans(shell, su_exec, su)
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]5 # Allow dumpstate to call su on userdebug / eng builds to collect
6 # additional information.
7 domain_auto_trans(dumpstate, su_exec, su)
Stephen Smalleyd99e6d52013-12-02 14:18:11 -0500[diff] [blame]8
Christopher Ferris5ec38c42015-01-29 12:11:55 -0800[diff] [blame]9 # Make sure that dumpstate runs the same from the "su" domain as
10 # from the "init" domain.
11 domain_auto_trans(su, dumpstate_exec, dumpstate)
12
Joe Onorato41f93db2016-11-20 23:23:04 -0800[diff] [blame]13 # Put the incident command into its domain so it is the same on user, userdebug and eng.
14 domain_auto_trans(su, incident_exec, incident)
15
Primiano Tucci1a9f4f72018-01-24 16:07:09 +0000[diff] [blame]16 # Put the perfetto command into its domain so it is the same on user, userdebug and eng.
17 domain_auto_trans(su, perfetto_exec, perfetto)
18
Nick Kralevich35e92392017-11-01 10:17:28 -0700[diff] [blame]19 # su is also permissive to permit setenforce.
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]20 permissive su;
Sreeram Ramachandranbc320182014-05-02 14:50:26 -0700[diff] [blame]21
dcashman3e8dbf02016-12-08 11:23:34 -0800[diff] [blame]22 app_domain(su)
Janis Danisevskisd3451f82020-07-27 13:06:11 -0700[diff] [blame^]23
24 # Do not audit accesses to keystore2 namespace for the su domain.
25 dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
26
Nick Kralevich88ce9512014-01-09 15:25:36 -0800[diff] [blame]27')