tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/private/su.te
Alan Stokes 8b4d612fd7 Allow su to access virtualization 
Use our standard macro for granting all the necessary permissions
instead of copying a part of it.

Add ioctl access for all clients for Unix stream sockets & pipes; this
allows them to be used for stdin/stdout without triggering
denials. (Only unpriv_sock_ioctls can be used.)

Together this allows a root shell to use `vm run` without getting
spurious denials such as:

avc:  denied  { ioctl } for  comm="crosvm" path="socket:[835168]"
dev="sockfs" ino=835168 ioctlcmd=0x5401 scontext=u:r:crosvm:s0
tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=0

Bug: 316048644
Test: adb root,  adb shell /apex/com.android.virt/bin/vm run-microdroid
Test: atest MicrodroidTests
Change-Id: Ib5186c70714e295a770896cf8b628384f410b94d
2023-12-20 14:55:28 +00:00

36 lines
1.2 KiB
Text
Raw Blame History

userdebug_or_eng(`
typeattribute su coredomain;
domain_auto_trans(shell, su_exec, su)
# Allow dumpstate to call su on userdebug / eng builds to collect
# additional information.
domain_auto_trans(dumpstate, su_exec, su)
# Make sure that dumpstate runs the same from the "su" domain as
# from the "init" domain.
domain_auto_trans(su, dumpstate_exec, dumpstate)
# Put the incident command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, incident_exec, incident)
# Put the odrefresh command into its domain.
domain_auto_trans(su, odrefresh_exec, odrefresh)
# Put the perfetto command into its domain so it is the same on user, userdebug and eng.
domain_auto_trans(su, perfetto_exec, perfetto)
# Allow accessing virtualization (e.g. via the vm command) - ensures virtmgr runs in its
# own domain.
virtualizationservice_use(su)
# su is also permissive to permit setenforce.
permissive su;
app_domain(su)
# Do not audit accesses to keystore2 namespace for the su domain.
dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *;
# Allow root to set MTE permissive mode.
set_prop(su, permissive_mte_prop);
')
Reference in a new issue View git blame Copy permalink