04fd9192b0
- Integrate policies from domain.te (fixes ES File Manager which uses unix socket) - Allow platform_app to use su (fixes CM File Manager) Change-Id: I39dd55e63b44590575bbe6d889c8d77141ba8545
75 lines
2.9 KiB
Plaintext
75 lines
2.9 KiB
Plaintext
type superuser_device, file_type;
|
|
|
|
## Perms for the daemon
|
|
|
|
type sudaemon, domain;
|
|
|
|
userdebug_or_eng(`
|
|
domain_trans(init, su_exec, sudaemon)
|
|
# The userspace app uses /dev sockets to control per-app access
|
|
allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
|
|
allow sudaemon superuser_device:sock_file { create setattr unlink write };
|
|
|
|
# sudaemon is also permissive to permit setenforce.
|
|
permissive sudaemon;
|
|
|
|
# Add sudaemon to various domains
|
|
net_domain(sudaemon)
|
|
app_domain(sudaemon)
|
|
|
|
dontaudit sudaemon self:capability_class_set *;
|
|
dontaudit sudaemon kernel:security *;
|
|
dontaudit sudaemon kernel:system *;
|
|
dontaudit sudaemon self:memprotect *;
|
|
dontaudit sudaemon domain:process *;
|
|
dontaudit sudaemon domain:fd *;
|
|
dontaudit sudaemon domain:dir *;
|
|
dontaudit sudaemon domain:lnk_file *;
|
|
dontaudit sudaemon domain:{ fifo_file file } *;
|
|
dontaudit sudaemon domain:socket_class_set *;
|
|
dontaudit sudaemon domain:ipc_class_set *;
|
|
dontaudit sudaemon domain:key *;
|
|
dontaudit sudaemon fs_type:filesystem *;
|
|
dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
|
|
dontaudit sudaemon node_type:node *;
|
|
dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
|
|
dontaudit sudaemon netif_type:netif *;
|
|
dontaudit sudaemon port_type:socket_class_set *;
|
|
dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
|
|
dontaudit sudaemon domain:peer *;
|
|
dontaudit sudaemon domain:binder *;
|
|
dontaudit sudaemon property_type:property_service *;
|
|
')
|
|
|
|
## Perms for the app
|
|
|
|
userdebug_or_eng(`
|
|
typealias shell alias suclient;
|
|
|
|
# Translate user and platform apps to the shell domain when using su
|
|
domain_auto_trans(untrusted_app, su_exec, suclient)
|
|
domain_auto_trans(platform_app, su_exec, suclient)
|
|
|
|
allow suclient sudaemon:unix_stream_socket { connectto read write setopt ioctl };
|
|
|
|
allow suclient superuser_device:dir { create rw_dir_perms setattr unlink };
|
|
allow suclient superuser_device:sock_file { create setattr unlink write };
|
|
allow suclient untrusted_app_devpts:chr_file { read write ioctl };
|
|
# For Settings control of access
|
|
allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
|
|
allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
|
|
allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
|
|
|
|
## From external/sepolicy/domain.te adjusted from sudaemon
|
|
# Same as adbd rules above, except allow su to do the same thing
|
|
allow domain sudaemon:unix_stream_socket connectto;
|
|
allow domain sudaemon:fd use;
|
|
allow domain sudaemon:unix_stream_socket { getattr getopt read write shutdown };
|
|
binder_call(domain, sudaemon)
|
|
# Running something like "pm dump com.android.bluetooth" requires
|
|
# fifo writes
|
|
allow domain sudaemon:fifo_file { write getattr };
|
|
# allow "gdbserver --attach" to work for su.
|
|
allow domain sudaemon:process sigchld;
|
|
')
|