| Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 1 | userdebug_or_eng(` |
| Alex Klyubin | 6b558dc | 2017-03-24 09:30:19 -0700 | [diff] [blame] | 2 | typeattribute su coredomain; |
| 3 | |
| Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 4 | domain_auto_trans(shell, su_exec, su) |
| Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 5 | # Allow dumpstate to call su on userdebug / eng builds to collect |
| 6 | # additional information. |
| 7 | domain_auto_trans(dumpstate, su_exec, su) |
| Stephen Smalley | d99e6d5 | 2013-12-02 14:18:11 -0500 | [diff] [blame] | 8 | |
| Christopher Ferris | 5ec38c4 | 2015-01-29 12:11:55 -0800 | [diff] [blame] | 9 | # Make sure that dumpstate runs the same from the "su" domain as |
| 10 | # from the "init" domain. |
| 11 | domain_auto_trans(su, dumpstate_exec, dumpstate) |
| 12 | |
| Joe Onorato | 41f93db | 2016-11-20 23:23:04 -0800 | [diff] [blame] | 13 | # Put the incident command into its domain so it is the same on user, userdebug and eng. |
| 14 | domain_auto_trans(su, incident_exec, incident) |
| 15 | |
| Orion Hodson | 8f75f76 | 2020-10-16 15:29:55 +0100 | [diff] [blame] | 16 | # Put the odrefresh command into its domain. |
| 17 | domain_auto_trans(su, odrefresh_exec, odrefresh) |
| 18 | |
| Primiano Tucci | 1a9f4f7 | 2018-01-24 16:07:09 +0000 | [diff] [blame] | 19 | # Put the perfetto command into its domain so it is the same on user, userdebug and eng. |
| 20 | domain_auto_trans(su, perfetto_exec, perfetto) |
| 21 | |
| Alan Stokes | 8b4d612 | 2023-12-20 12:36:18 +0000 | [diff] [blame] | 22 | # Allow accessing virtualization (e.g. via the vm command) - ensures virtmgr runs in its |
| 23 | # own domain. |
| 24 | virtualizationservice_use(su) |
| David Brazdil | 55d808c | 2022-12-15 13:38:42 +0000 | [diff] [blame] | 25 | |
| Nick Kralevich | 35e9239 | 2017-11-01 10:17:28 -0700 | [diff] [blame] | 26 | # su is also permissive to permit setenforce. |
| Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 27 | permissive su; |
| Sreeram Ramachandran | bc32018 | 2014-05-02 14:50:26 -0700 | [diff] [blame] | 28 | |
| dcashman | 3e8dbf0 | 2016-12-08 11:23:34 -0800 | [diff] [blame] | 29 | app_domain(su) |
| Janis Danisevskis | d3451f8 | 2020-07-27 13:06:11 -0700 | [diff] [blame] | 30 | |
| 31 | # Do not audit accesses to keystore2 namespace for the su domain. |
| 32 | dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *; |
| Inseob Kim | 75806ef | 2024-03-27 17:18:41 +0900 | [diff] [blame] | 33 | |
| 34 | typeattribute su mlstrustedsubject; |
| 35 | |
| 36 | # Add su to various domains |
| 37 | net_domain(su) |
| 38 | |
| 39 | # grant su access to vndbinder |
| 40 | vndbinder_use(su) |
| 41 | |
| 42 | dontaudit su self:capability_class_set *; |
| 43 | dontaudit su self:capability2 *; |
| 44 | dontaudit su kernel:security *; |
| 45 | dontaudit su { kernel file_type }:system *; |
| 46 | dontaudit su self:memprotect *; |
| 47 | dontaudit su domain:anon_inode *; |
| 48 | dontaudit su domain:{ process process2 } *; |
| 49 | dontaudit su domain:fd *; |
| 50 | dontaudit su domain:dir *; |
| 51 | dontaudit su domain:lnk_file *; |
| 52 | dontaudit su domain:{ fifo_file file } *; |
| 53 | dontaudit su domain:socket_class_set *; |
| 54 | dontaudit su domain:ipc_class_set *; |
| 55 | dontaudit su domain:key *; |
| 56 | dontaudit su {fs_type fusefs_type}:filesystem *; |
| 57 | dontaudit su {fs_type dev_type file_type}:dir_file_class_set *; |
| 58 | dontaudit su node_type:node *; |
| 59 | dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *; |
| 60 | dontaudit su netif_type:netif *; |
| 61 | dontaudit su port_type:socket_class_set *; |
| 62 | dontaudit su port_type:{ tcp_socket dccp_socket } *; |
| 63 | dontaudit su domain:peer *; |
| 64 | dontaudit su domain:binder *; |
| 65 | dontaudit su property_type:property_service *; |
| 66 | dontaudit su property_type:file *; |
| 67 | dontaudit su service_manager_type:service_manager *; |
| 68 | dontaudit su hwservice_manager_type:hwservice_manager *; |
| 69 | dontaudit su vndservice_manager_type:service_manager *; |
| 70 | dontaudit su servicemanager:service_manager list; |
| 71 | dontaudit su hwservicemanager:hwservice_manager list; |
| 72 | dontaudit su vndservicemanager:service_manager list; |
| 73 | dontaudit su keystore:keystore2 *; |
| 74 | dontaudit su domain:drmservice *; |
| 75 | dontaudit su unlabeled:filesystem *; |
| 76 | dontaudit su postinstall_file:filesystem *; |
| 77 | dontaudit su domain:bpf *; |
| 78 | dontaudit su unlabeled:vsock_socket *; |
| 79 | dontaudit su self:perf_event *; |
| 80 | |
| 81 | # VTS tests run in the permissive su domain on debug builds, but the HALs |
| 82 | # being tested run in enforcing mode. Because hal_foo_server is enforcing |
| 83 | # su needs to be declared as hal_foo_client to grant hal_foo_server |
| 84 | # permission to interact with it. |
| 85 | typeattribute su halclientdomain; |
| 86 | typeattribute su hal_allocator_client; |
| 87 | typeattribute su hal_atrace_client; |
| 88 | typeattribute su hal_audio_client; |
| 89 | typeattribute su hal_authsecret_client; |
| 90 | typeattribute su hal_bluetooth_client; |
| 91 | typeattribute su hal_bootctl_client; |
| 92 | typeattribute su hal_camera_client; |
| 93 | typeattribute su hal_configstore_client; |
| 94 | typeattribute su hal_confirmationui_client; |
| 95 | typeattribute su hal_contexthub_client; |
| 96 | typeattribute su hal_drm_client; |
| 97 | typeattribute su hal_cas_client; |
| 98 | typeattribute su hal_dumpstate_client; |
| 99 | typeattribute su hal_fingerprint_client; |
| 100 | typeattribute su hal_gatekeeper_client; |
| 101 | typeattribute su hal_gnss_client; |
| 102 | typeattribute su hal_graphics_allocator_client; |
| 103 | typeattribute su hal_graphics_composer_client; |
| 104 | typeattribute su hal_health_client; |
| 105 | typeattribute su hal_input_classifier_client; |
| 106 | typeattribute su hal_ir_client; |
| 107 | typeattribute su hal_keymaster_client; |
| 108 | typeattribute su hal_light_client; |
| Haofan Wang | f5ff3eb | 2024-10-23 05:30:53 +0000 | [diff] [blame] | 109 | typeattribute su hal_mediaquality_client; |
| Inseob Kim | 75806ef | 2024-03-27 17:18:41 +0900 | [diff] [blame] | 110 | typeattribute su hal_memtrack_client; |
| 111 | typeattribute su hal_neuralnetworks_client; |
| 112 | typeattribute su hal_nfc_client; |
| 113 | typeattribute su hal_oemlock_client; |
| 114 | typeattribute su hal_power_client; |
| 115 | typeattribute su hal_rebootescrow_client; |
| 116 | typeattribute su hal_secretkeeper_client; |
| 117 | typeattribute su hal_secure_element_client; |
| 118 | typeattribute su hal_sensors_client; |
| 119 | typeattribute su hal_telephony_client; |
| 120 | typeattribute su hal_tetheroffload_client; |
| 121 | typeattribute su hal_thermal_client; |
| 122 | typeattribute su hal_tv_cec_client; |
| 123 | typeattribute su hal_tv_hdmi_cec_client; |
| 124 | typeattribute su hal_tv_hdmi_connection_client; |
| 125 | typeattribute su hal_tv_hdmi_earc_client; |
| 126 | typeattribute su hal_tv_input_client; |
| 127 | typeattribute su hal_tv_tuner_client; |
| 128 | typeattribute su hal_usb_client; |
| 129 | typeattribute su hal_vibrator_client; |
| Nikita Ioffe | 439563f | 2024-12-10 18:33:22 +0000 | [diff] [blame] | 130 | typeattribute su hal_vm_capabilities_client; |
| Inseob Kim | 75806ef | 2024-03-27 17:18:41 +0900 | [diff] [blame] | 131 | typeattribute su hal_vr_client; |
| 132 | typeattribute su hal_weaver_client; |
| 133 | typeattribute su hal_wifi_client; |
| 134 | typeattribute su hal_wifi_hostapd_client; |
| 135 | typeattribute su hal_wifi_supplicant_client; |
| Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 136 | ') |