From 938ab05d729aa83abfe16e933ca70e0dee4c22ae Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Fri, 3 Aug 2018 10:49:20 -0700
Subject: [PATCH] Allow init to execute services marked with seclabel u:r:su:s0
 in userdebug/eng

This is do aid developers pushing debug services to not need to modify
the underlying SEPolicy

avc: denied { transition } for comm="init" path="/system/bin/awk"
dev="dm-0" ino=1934 scontext=u:r:init:s0 tcontext=u:r:su:s0
tclass=process
avc: denied { rlimitinh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { siginh } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process
avc: denied { noatsecure } for comm="awk" scontext=u:r:init:s0
tcontext=u:r:su:s0 tclass=process

Test: init can execute a system_file marked with seclabel u:r:su:s0
Change-Id: I85d9528341fe08dbb2fb9a91e34a41f41aa093be
---
 private/init.te | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/private/init.te b/private/init.te
index 4cf692249..02686a3f4 100644
--- a/private/init.te
+++ b/private/init.te
@@ -15,7 +15,12 @@ domain_trans(init, shell_exec, shell)
 domain_trans(init, init_exec, ueventd)
 domain_trans(init, init_exec, vendor_init)
 domain_trans(init, { rootfs toolbox_exec }, modprobe)
-# case where logpersistd is actually logcat -f in logd context (nee: logcatd)
 userdebug_or_eng(`
+  # case where logpersistd is actually logcat -f in logd context (nee: logcatd)
   domain_auto_trans(init, logcat_exec, logpersist)
+
+  # allow init to execute services marked with seclabel u:r:su:s0 in userdebug/eng
+  allow init su:process transition;
+  dontaudit init su:process noatsecure;
+  allow init su:process { siginh rlimitinh };
 ')