platform_system_sepolicy/su.te
Nick Kralevich b54f92bbf4 make su an mlstrustedsubject
Otherwise the following denial occurs when I3972f846ff5e7363799ba521f1258d662b18d64e
is present and "adb root" is run.

  <6>[   64.507223] type=1400 audit(1411432079.100:471): avc: denied { connectto } for pid=717 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1
  <6>[   64.507617] type=1400 audit(1411432079.100:472): avc: denied { connectto } for pid=1659 comm="JDWP" path=006A6477702D636F6E74726F6C scontext=u:r:platform_app:s0:c512,c768 tcontext=u:r:su:s0 tclass=unix_stream_socket permissive=1

Change-Id: I1772912b2ca1446b822303ad6ea3154427f8331f
2014-09-22 17:44:00 -07:00

44 lines
1.5 KiB
Text

# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;
userdebug_or_eng(`
# Domain used for su processes, as well as for adbd and adb shell
# after performing an adb root command. The domain definition is
# wrapped to ensure that it does not exist at all on -user builds.
type su, domain, mlstrustedsubject;
domain_auto_trans(shell, su_exec, su)
# Allow dumpstate to call su on userdebug / eng builds to collect
# additional information.
domain_auto_trans(dumpstate, su_exec, su)
# su is also permissive to permit setenforce.
permissive su;
# Add su to various domains
net_domain(su)
app_domain(su)
dontaudit su self:capability_class_set *;
dontaudit su kernel:security *;
dontaudit su kernel:system *;
dontaudit su self:memprotect *;
dontaudit su domain:process *;
dontaudit su domain:fd *;
dontaudit su domain:dir *;
dontaudit su domain:lnk_file *;
dontaudit su domain:{ fifo_file file } *;
dontaudit su domain:socket_class_set *;
dontaudit su domain:ipc_class_set *;
dontaudit su domain:key *;
dontaudit su fs_type:filesystem *;
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit su node_type:node *;
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
dontaudit su netif_type:netif *;
dontaudit su port_type:socket_class_set *;
dontaudit su port_type:{ tcp_socket dccp_socket } *;
dontaudit su domain:peer *;
dontaudit su domain:binder *;
dontaudit su property_type:property_service *;
')