3e8dbf01ef
app_domain was split up in commit:2e00e6373fto enable compilation by hiding type_transition rules from public policy. These rules need to be hidden from public policy because they describe how objects are labeled, of which non-platform should be unaware. Instead of cutting apart the app_domain macro, which non-platform policy may rely on for implementing new app types, move all app_domain calls to private policy. (cherry-pick of commit:76035ea019) Bug: 33428593 Test: bullhead and sailfish both boot. sediff shows no policy change. Change-Id: I4beead8ccc9b6e13c6348da98bb575756f539665
15 lines
431 B
Text
15 lines
431 B
Text
userdebug_or_eng(`
|
|
domain_auto_trans(shell, su_exec, su)
|
|
# Allow dumpstate to call su on userdebug / eng builds to collect
|
|
# additional information.
|
|
domain_auto_trans(dumpstate, su_exec, su)
|
|
|
|
# Make sure that dumpstate runs the same from the "su" domain as
|
|
# from the "init" domain.
|
|
domain_auto_trans(su, dumpstate_exec, dumpstate)
|
|
|
|
# su is also permissive to permit setenforce.
|
|
permissive su;
|
|
|
|
app_domain(su)
|
|
')
|