replicant-vendor_replicant/sepolicy/su.te
FrozenCow ec0322e31b cm: sepolicy: allow kernel to read storage
This fixes issues where the kernel would need to read and write
files from internal or external storage. More specifically, the
kernel needs these rules for USB mass storage to work correctly.

Change-Id: I8cb0307727bc0c464d5470e55275ad808e748ee0
2016-02-20 14:26:41 -08:00

70 lines
2.6 KiB
Plaintext

type superuser_device, file_type, mlstrustedobject;
## Perms for the daemon
userdebug_or_eng(`
domain_trans(init, su_exec, sudaemon)
typeattribute sudaemon domain, mlstrustedsubject;
type_transition sudaemon socket_device:sock_file superuser_device;
# The userspace app uses /dev sockets to control per-app access
allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
allow sudaemon superuser_device:sock_file { create setattr unlink write };
# sudaemon is also permissive to permit setenforce.
permissive sudaemon;
# Add sudaemon to various domains
net_domain(sudaemon)
app_domain(sudaemon)
dontaudit sudaemon self:capability_class_set *;
dontaudit sudaemon kernel:security *;
dontaudit sudaemon kernel:system *;
dontaudit sudaemon self:memprotect *;
dontaudit sudaemon domain:process *;
dontaudit sudaemon domain:fd *;
dontaudit sudaemon domain:dir *;
dontaudit sudaemon domain:lnk_file *;
dontaudit sudaemon domain:{ fifo_file file } *;
dontaudit sudaemon domain:socket_class_set *;
dontaudit sudaemon domain:ipc_class_set *;
dontaudit sudaemon domain:key *;
dontaudit sudaemon fs_type:filesystem *;
dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit sudaemon node_type:node *;
dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
dontaudit sudaemon netif_type:netif *;
dontaudit sudaemon port_type:socket_class_set *;
dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
dontaudit sudaemon domain:peer *;
dontaudit sudaemon domain:binder *;
dontaudit sudaemon property_type:property_service *;
dontaudit sudaemon appops_service:service_manager *;
')
## Perms for the app
userdebug_or_eng(`
# Translate user apps to the shell domain when using su
#
# PR_SET_NO_NEW_PRIVS blocks this :(
# we need to find a way to narrow this down to the actual exec.
# typealias shell alias suclient;
# domain_auto_trans(untrusted_app, su_exec, suclient)
allow untrusted_app su_exec:file { execute_no_trans getattr open read execute };
allow untrusted_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
allow untrusted_app superuser_device:dir { r_dir_perms };
allow untrusted_app superuser_device:sock_file { write };
# For Settings control of access
allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
allow kernel sudaemon:fd { use };
')