userdebug_or_eng(` typeattribute su coredomain; domain_auto_trans(shell, su_exec, su) # Allow dumpstate to call su on userdebug / eng builds to collect # additional information. domain_auto_trans(dumpstate, su_exec, su) # Make sure that dumpstate runs the same from the "su" domain as # from the "init" domain. domain_auto_trans(su, dumpstate_exec, dumpstate) # Put the incident command into its domain so it is the same on user, userdebug and eng. domain_auto_trans(su, incident_exec, incident) # Put the odrefresh command into its domain. domain_auto_trans(su, odrefresh_exec, odrefresh) # Put the perfetto command into its domain so it is the same on user, userdebug and eng. domain_auto_trans(su, perfetto_exec, perfetto) # Allow accessing virtualization (e.g. via the vm command) - ensures virtmgr runs in its # own domain. virtualizationservice_use(su) # su is also permissive to permit setenforce. permissive su; app_domain(su) # Do not audit accesses to keystore2 namespace for the su domain. dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *; # Allow root to set MTE permissive mode. set_prop(su, permissive_mte_prop); ')