diff options
Diffstat (limited to 'sepolicy/su.te')
-rw-r--r-- | sepolicy/su.te | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/sepolicy/su.te b/sepolicy/su.te new file mode 100644 index 0000000..9cd6345 --- /dev/null +++ b/sepolicy/su.te @@ -0,0 +1,67 @@ +type superuser_device, file_type, mlstrustedobject; + +## Perms for the daemon + +userdebug_or_eng(` + domain_trans(init, su_exec, sudaemon) + + typeattribute sudaemon domain, mlstrustedsubject; + + type_transition sudaemon socket_device:sock_file superuser_device; + # The userspace app uses /dev sockets to control per-app access + allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink }; + allow sudaemon superuser_device:sock_file { create setattr unlink write }; + + # sudaemon is also permissive to permit setenforce. + permissive sudaemon; + + # Add sudaemon to various domains + net_domain(sudaemon) + app_domain(sudaemon) + + dontaudit sudaemon self:capability_class_set *; + dontaudit sudaemon kernel:security *; + dontaudit sudaemon kernel:system *; + dontaudit sudaemon self:memprotect *; + dontaudit sudaemon domain:process *; + dontaudit sudaemon domain:fd *; + dontaudit sudaemon domain:dir *; + dontaudit sudaemon domain:lnk_file *; + dontaudit sudaemon domain:{ fifo_file file } *; + dontaudit sudaemon domain:socket_class_set *; + dontaudit sudaemon domain:ipc_class_set *; + dontaudit sudaemon domain:key *; + dontaudit sudaemon fs_type:filesystem *; + dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *; + dontaudit sudaemon node_type:node *; + dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *; + dontaudit sudaemon netif_type:netif *; + dontaudit sudaemon port_type:socket_class_set *; + dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *; + dontaudit sudaemon domain:peer *; + dontaudit sudaemon domain:binder *; + dontaudit sudaemon property_type:property_service *; + dontaudit sudaemon appops_service:service_manager *; +') + +## Perms for the app + +userdebug_or_eng(` + # Translate user apps to the shell domain when using su + # + # PR_SET_NO_NEW_PRIVS blocks this :( + # we need to find a way to narrow this down to the actual exec. + # typealias shell alias suclient; + # domain_auto_trans(untrusted_app, su_exec, suclient) + + allow untrusted_app su_exec:file { execute_no_trans getattr open read execute }; + allow untrusted_app sudaemon:unix_stream_socket { connectto read write setopt ioctl }; + allow untrusted_app superuser_device:dir { r_dir_perms }; + allow untrusted_app superuser_device:sock_file { write }; + + + # For Settings control of access + allow system_app superuser_device:sock_file { read write create setattr unlink getattr }; + allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl }; + allow system_app superuser_device:dir { create rw_dir_perms setattr unlink }; +') |