Add selinux policies for superuser

Change-Id: I878eaa9d25feaedf46e89083f91d6a21f4aff37a
2014-11-26 21:34:15 +00:00 · 2014-11-26 21:34:15 +00:00 · 09159ac7ce
commit 09159ac7ce
parent 12daaee8a5
3 changed files with 67 additions and 0 deletions
--- a/sepolicy/file_contexts
+++ b/sepolicy/file_contexts
@ -14,3 +14,8 @@

 /data/hostapd(/.*)?         u:object_r:wifi_data_file:s0
 /data/misc/radio(/.*)?      u:object_r:radio_data_file:s0
+
+#############
+# Superuser's control sockets
+/dev/com.android.settings.daemon(/.*)?   u:object_r:superuser_device:s0
+/dev/com.android.settings(/.*)?   u:object_r:superuser_device:s0
--- a/sepolicy/sepolicy.mk
+++ b/sepolicy/sepolicy.mk
@ -15,6 +15,7 @@ BOARD_SEPOLICY_UNION += \
    auditd.te \
    installd.te \
    netd.te \
+    su.te \
    sysinit.te \
    system.te \
    ueventd.te \
--- a/sepolicy/su.te
+++ b/sepolicy/su.te
@ -0,0 +1,61 @@
+type superuser_device, file_type;
+
+## Perms for the daemon
+
+type sudaemon, domain;
+
+userdebug_or_eng(`
+  domain_trans(init, su_exec, sudaemon)
+  # The userspace app uses /dev sockets to control per-app access
+  allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
+  allow sudaemon superuser_device:sock_file { create setattr unlink write };
+
+  # sudaemon is also permissive to permit setenforce.
+  permissive sudaemon;
+
+  # Add sudaemon to various domains
+  net_domain(sudaemon)
+  app_domain(sudaemon)
+
+  dontaudit sudaemon self:capability_class_set *;
+  dontaudit sudaemon kernel:security *;
+  dontaudit sudaemon kernel:system *;
+  dontaudit sudaemon self:memprotect *;
+  dontaudit sudaemon domain:process *;
+  dontaudit sudaemon domain:fd *;
+  dontaudit sudaemon domain:dir *;
+  dontaudit sudaemon domain:lnk_file *;
+  dontaudit sudaemon domain:{ fifo_file file } *;
+  dontaudit sudaemon domain:socket_class_set *;
+  dontaudit sudaemon domain:ipc_class_set *;
+  dontaudit sudaemon domain:key *;
+  dontaudit sudaemon fs_type:filesystem *;
+  dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
+  dontaudit sudaemon node_type:node *;
+  dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
+  dontaudit sudaemon netif_type:netif *;
+  dontaudit sudaemon port_type:socket_class_set *;
+  dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
+  dontaudit sudaemon domain:peer *;
+  dontaudit sudaemon domain:binder *;
+  dontaudit sudaemon property_type:property_service *;
+')
+
+## Perms for the app
+
+userdebug_or_eng(`
+  typealias shell alias suclient;
+
+  # Translate user apps to the shell domain when using su
+  domain_auto_trans(untrusted_app, su_exec, suclient)
+
+  allow suclient sudaemon:unix_stream_socket { connectto read write setopt ioctl };
+
+  allow suclient superuser_device:dir { create rw_dir_perms setattr unlink };
+  allow suclient superuser_device:sock_file { create setattr unlink write };
+  allow suclient untrusted_app_devpts:chr_file { read write ioctl };
+  # For Settings' control of access
+  allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
+  allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
+  allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
+')