platform_system_sepolicy/private/su.te

userdebug_or_eng(`
  domain_auto_trans(shell, su_exec, su)
  # Allow dumpstate to call su on userdebug / eng builds to collect
  # additional information.
  domain_auto_trans(dumpstate, su_exec, su)

  # Make sure that dumpstate runs the same from the "su" domain as
  # from the "init" domain.
  domain_auto_trans(su, dumpstate_exec, dumpstate)

# su is also permissive to permit setenforce.
  permissive su;

  # app_domain fallout
  tmpfs_domain(su)
  # Map with PROT_EXEC.
  allow su su_tmpfs:file execute;
')
Create new conditional userdebug_or_eng Create a new m4 macro called userdebug_or_eng. Arguments passed to this macro are only emitted if we're performing a userdebug or eng build. Merge shell.te and shell_user.te and eliminate duplicate lines. Same for su.te and su_user.te Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0 2014-01-10 00:25:36 +01:00			userdebug_or_eng(`
			`domain_auto_trans(shell, su_exec, su)`
			`# Allow dumpstate to call su on userdebug / eng builds to collect`
			`# additional information.`
			`domain_auto_trans(dumpstate, su_exec, su)`
Restrict the ability to set SELinux enforcing mode to init. Also make su and shell permissive in non-user builds to allow use of setenforce without violating the neverallow rule. Change-Id: Ie76ee04e90d5a76dfaa5f56e9e3eb7e283328a3f Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> 2013-12-02 20:18:11 +01:00
Dumpstate runs the same from shell as service. Without this change, any selinux warning you might get when running dumpstate from init do not show up when running from the shell as root. This change makes them run the same. Change-Id: I6b74e0f6f48f47952a2dbe7728b1853008f60dbb 2015-01-29 21:11:55 +01:00			`# Make sure that dumpstate runs the same from the "su" domain as`
			`# from the "init" domain.`
			`domain_auto_trans(su, dumpstate_exec, dumpstate)`

sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317 2016-10-12 23:58:09 +02:00			`# su is also permissive to permit setenforce.`
Create new conditional userdebug_or_eng Create a new m4 macro called userdebug_or_eng. Arguments passed to this macro are only emitted if we're performing a userdebug or eng build. Merge shell.te and shell_user.te and eliminate duplicate lines. Same for su.te and su_user.te Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0 2014-01-10 00:25:36 +01:00			`permissive su;`
Make su a net domain. Change-Id: Ied6e6eba4895524cf8b442694cc48ef2d6f9a811 2014-05-02 23:50:26 +02:00
sepolicy: add version_policy tool and version non-platform policy. In order to support platform changes without simultaneous updates from non-platform components, the platform and non-platform policies must be split. In order to provide a guarantee that policy written for non-platform objects continues to provide the same access, all types exposed to non-platform policy are versioned by converting them and the policy using them into attributes. This change performs that split, the subsequent versioning and also generates a mapping file to glue the different policy components together. Test: Device boots and runs. Bug: 31369363 Change-Id: Ibfd3eb077bd9b8e2ff3b2e6a0ca87e44d78b1317 2016-10-12 23:58:09 +02:00			`# app_domain fallout`
			`tmpfs_domain(su)`
			`# Map with PROT_EXEC.`
			`allow su su_tmpfs:file execute;`
Create new conditional userdebug_or_eng Create a new m4 macro called userdebug_or_eng. Arguments passed to this macro are only emitted if we're performing a userdebug or eng build. Merge shell.te and shell_user.te and eliminate duplicate lines. Same for su.te and su_user.te Change-Id: I8fbabca65ec392aeafd5b90cef57b5066033fad0 2014-01-10 00:25:36 +01:00			`')`