sepolicy/su.te


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

type superuser_device, file_type;

## Perms for the daemon

type sudaemon, domain;

userdebug_or_eng(`
  domain_trans(init, su_exec, sudaemon)
  # The userspace app uses /dev sockets to control per-app access
  allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
  allow sudaemon superuser_device:sock_file { create setattr unlink write };

  # sudaemon is also permissive to permit setenforce.
  permissive sudaemon;

  # Add sudaemon to various domains
  net_domain(sudaemon)
  app_domain(sudaemon)

  dontaudit sudaemon self:capability_class_set *;
  dontaudit sudaemon kernel:security *;
  dontaudit sudaemon kernel:system *;
  dontaudit sudaemon self:memprotect *;
  dontaudit sudaemon domain:process *;
  dontaudit sudaemon domain:fd *;
  dontaudit sudaemon domain:dir *;
  dontaudit sudaemon domain:lnk_file *;
  dontaudit sudaemon domain:{ fifo_file file } *;
  dontaudit sudaemon domain:socket_class_set *;
  dontaudit sudaemon domain:ipc_class_set *;
  dontaudit sudaemon domain:key *;
  dontaudit sudaemon fs_type:filesystem *;
  dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
  dontaudit sudaemon node_type:node *;
  dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
  dontaudit sudaemon netif_type:netif *;
  dontaudit sudaemon port_type:socket_class_set *;
  dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
  dontaudit sudaemon domain:peer *;
  dontaudit sudaemon domain:binder *;
  dontaudit sudaemon property_type:property_service *;
')

## Perms for the app

userdebug_or_eng(`
  typealias shell alias suclient;

  # Translate user apps to the shell domain when using su
  domain_auto_trans(untrusted_app, su_exec, suclient)

  allow suclient sudaemon:unix_stream_socket { connectto read write setopt ioctl };

  allow suclient superuser_device:dir { create rw_dir_perms setattr unlink };
  allow suclient superuser_device:sock_file { create setattr unlink write };
  allow suclient untrusted_app_devpts:chr_file { read write ioctl };
  # For Settings' control of access
  allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
  allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
  allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
')