0af2aa0be3
su is in permissive all the time. We don't want SELinux log spam from this domain. Addresses the following logspam: avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/graphics/fb0/vsync_event" dev="sysfs" ino=10815 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { getattr } for comm="lsof" path="/sys/devices/virtual/thermal/thermal_zone2/temp" dev="sysfs" ino=15368 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file avc: granted { read } for comm="sh" name="emmc_therm" dev="sysfs" ino=17583 scontext=u:r:su:s0 tcontext=u:object_r:sysfs:s0 tclass=file Change-Id: I8e17d3814e41b497b25ce00cd72698f0d22b3ab0
55 lines
1.9 KiB
Text
55 lines
1.9 KiB
Text
# File types must be defined for file_contexts.
|
|
type su_exec, exec_type, file_type;
|
|
|
|
userdebug_or_eng(`
|
|
# Domain used for su processes, as well as for adbd and adb shell
|
|
# after performing an adb root command. The domain definition is
|
|
# wrapped to ensure that it does not exist at all on -user builds.
|
|
type su, domain, mlstrustedsubject;
|
|
domain_auto_trans(shell, su_exec, su)
|
|
|
|
# Allow dumpstate to call su on userdebug / eng builds to collect
|
|
# additional information.
|
|
domain_auto_trans(dumpstate, su_exec, su)
|
|
|
|
# Make sure that dumpstate runs the same from the "su" domain as
|
|
# from the "init" domain.
|
|
domain_auto_trans(su, dumpstate_exec, dumpstate)
|
|
|
|
# su is also permissive to permit setenforce.
|
|
permissive su;
|
|
|
|
# Add su to various domains
|
|
net_domain(su)
|
|
app_domain(su)
|
|
|
|
dontaudit su self:capability_class_set *;
|
|
dontaudit su kernel:security *;
|
|
dontaudit su kernel:system *;
|
|
dontaudit su self:memprotect *;
|
|
dontaudit su domain:process *;
|
|
dontaudit su domain:fd *;
|
|
dontaudit su domain:dir *;
|
|
dontaudit su domain:lnk_file *;
|
|
dontaudit su domain:{ fifo_file file } *;
|
|
dontaudit su domain:socket_class_set *;
|
|
dontaudit su domain:ipc_class_set *;
|
|
dontaudit su domain:key *;
|
|
dontaudit su fs_type:filesystem *;
|
|
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
|
|
dontaudit su node_type:node *;
|
|
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
|
|
dontaudit su netif_type:netif *;
|
|
dontaudit su port_type:socket_class_set *;
|
|
dontaudit su port_type:{ tcp_socket dccp_socket } *;
|
|
dontaudit su domain:peer *;
|
|
dontaudit su domain:binder *;
|
|
dontaudit su property_type:property_service *;
|
|
dontaudit su property_type:file *;
|
|
dontaudit su service_manager_type:service_manager *;
|
|
dontaudit su servicemanager:service_manager list;
|
|
dontaudit su keystore:keystore_key *;
|
|
dontaudit su domain:debuggerd *;
|
|
dontaudit su domain:drmservice *;
|
|
dontaudit su unlabeled:filesystem *;
|
|
')
|