ADHOC/replicant-vendor_replicant
3
0
Fork 0
Code Issues 6 Pull Requests Releases Activity

Add selinux policies for superuser

Browse Source 
Change-Id: I878eaa9d25feaedf46e89083f91d6a21f4aff37a
This commit is contained in:
Ricardo Cerqueira 2014-11-26 21:34:15 +00:00
parent 12daaee8a5
commit 09159ac7ce
3 changed files with 67 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sepolicy/file_contexts
View File

@ -14,3 +14,8 @@
/data/hostapd(/.*)? u:object_r:wifi_data_file:s0 /data/hostapd(/.*)? u:object_r:wifi_data_file:s0
/data/misc/radio(/.*)? u:object_r:radio_data_file:s0 /data/misc/radio(/.*)? u:object_r:radio_data_file:s0
#############
# Superuser's control sockets
/dev/com.android.settings.daemon(/.*)? u:object_r:superuser_device:s0
/dev/com.android.settings(/.*)? u:object_r:superuser_device:s0

1
sepolicy/sepolicy.mk
View File

@ -15,6 +15,7 @@ BOARD_SEPOLICY_UNION += \
auditd.te \ auditd.te \
installd.te \ installd.te \
netd.te \ netd.te \
su.te \
sysinit.te \ sysinit.te \
system.te \ system.te \
ueventd.te \ ueventd.te \

61
sepolicy/su.te Normal file
View File

@ -0,0 +1,61 @@
type superuser_device, file_type;
## Perms for the daemon
type sudaemon, domain;
userdebug_or_eng(`
domain_trans(init, su_exec, sudaemon)
# The userspace app uses /dev sockets to control per-app access
allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
allow sudaemon superuser_device:sock_file { create setattr unlink write };
# sudaemon is also permissive to permit setenforce.
permissive sudaemon;
# Add sudaemon to various domains
net_domain(sudaemon)
app_domain(sudaemon)
dontaudit sudaemon self:capability_class_set *;
dontaudit sudaemon kernel:security *;
dontaudit sudaemon kernel:system *;
dontaudit sudaemon self:memprotect *;
dontaudit sudaemon domain:process *;
dontaudit sudaemon domain:fd *;
dontaudit sudaemon domain:dir *;
dontaudit sudaemon domain:lnk_file *;
dontaudit sudaemon domain:{ fifo_file file } *;
dontaudit sudaemon domain:socket_class_set *;
dontaudit sudaemon domain:ipc_class_set *;
dontaudit sudaemon domain:key *;
dontaudit sudaemon fs_type:filesystem *;
dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit sudaemon node_type:node *;
dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
dontaudit sudaemon netif_type:netif *;
dontaudit sudaemon port_type:socket_class_set *;
dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
dontaudit sudaemon domain:peer *;
dontaudit sudaemon domain:binder *;
dontaudit sudaemon property_type:property_service *;
')
## Perms for the app
userdebug_or_eng(`
typealias shell alias suclient;
# Translate user apps to the shell domain when using su
domain_auto_trans(untrusted_app, su_exec, suclient)
allow suclient sudaemon:unix_stream_socket { connectto read write setopt ioctl };
allow suclient superuser_device:dir { create rw_dir_perms setattr unlink };
allow suclient superuser_device:sock_file { create setattr unlink write };
allow suclient untrusted_app_devpts:chr_file { read write ioctl };
# For Settings' control of access
allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
')