Tweak rules for su domain.
1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.
2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.
3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:
type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0
which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.
Bug: 16261280
Bug: 16298582
Change-Id: I30b6d3cc186bda737a23c25f4fa2a577c2afd4d7
This commit is contained in:
Nick Kralevich
parent
8395bb4ad0
commit
213bb45bdd
1 changed files with 2 additions and 10 deletions
12
su.te
12
su.te
|
|
@ -12,20 +12,12 @@ userdebug_or_eng(`
|
|||
# additional information.
|
||||
domain_auto_trans(dumpstate, su_exec, su)
|
||||
|
||||
# su is unconfined.
|
||||
unconfined_domain(su)
|
||||
|
||||
allow su ashmem_device:chr_file execute;
|
||||
allow su self:process execmem;
|
||||
tmpfs_domain(su)
|
||||
allow su su_tmpfs:file execute;
|
||||
allow su debuggerd_prop:property_service set;
|
||||
|
||||
# su is also permissive to permit setenforce.
|
||||
permissive su;
|
||||
|
||||
# Make su a net domain.
|
||||
# Add su to various domains
|
||||
net_domain(su)
|
||||
app_domain(su)
|
||||
|
||||
dontaudit su self:capability_class_set *;
|
||||
dontaudit su kernel:security *;
|
||||
|
|
|
|||
Loading…
Reference in a new issue