commit 40ae10433e5a77a07e6e900b4bf4bd04af254469
author Pierre-Hugues Husson <phh@phh.me> Tue Dec 19 13:08:26 2017 +0100
committer Pierre-Hugues Husson <phh@phh.me> Tue Dec 19 13:08:26 2017 +0100
tree 3408deb42e27cb0363e3597f6c2a93725c93c3af
parent fd24ea3347d667b973e7541be6d34dfde1bf69ea

Add su option

sepolicy/file_contexts

diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..15ebca2
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1 @@
+/system/bin/phh-su                   u:object_r:phhsu_exec:s0

sepolicy/su.te

diff --git a/sepolicy/su.te b/sepolicy/su.te
new file mode 100644
index 0000000..01d665f
--- /dev/null
+++ b/sepolicy/su.te
@@ -0,0 +1,47 @@
+type phhsu_daemon, domain;
+type phhsu_exec, exec_type, file_type;
+
+typeattribute phhsu_daemon coredomain;
+permissive phhsu_daemon;
+
+tmpfs_domain(phhsu_daemon);
+domain_auto_trans(init, phhsu_exec, phhsu_daemon);
+file_type_auto_trans(phhsu_daemon, device, phhsu_daemon);
+
+allow { appdomain shell } phhsu_daemon:unix_stream_socket { connectto write read };
+allow { appdomain shell } phhsu_daemon:sock_file { write read };
+allow { appdomain shell } phhsu_exec:file { getattr read open execute execute_no_trans };
+
+create_pty(shell)
+allowxperm shell devpts:chr_file ioctl TCSETSF;
+allowxperm untrusted_app untrusted_app_devpts:chr_file ioctl TCSETSF;
+
+allow servicemanager phhsu_daemon:dir { search read };
+allow servicemanager phhsu_daemon:file { open read };
+allow servicemanager phhsu_daemon:process { getattr };
+allow servicemanager phhsu_daemon:binder { call transfer };
+
+typeattribute phhsu_daemon mlstrustedobject;
+typeattribute phhsu_daemon mlstrustedsubject;
+
+allow shell su_exec:file getattr;
+typeattribute su mlstrustedsubject;
+
+allow phhsu_daemon { system_api_service app_api_service system_server_service }:service_manager find;
+
+allow system_server phhsu_daemon:fd use;
+allow system_server phhsu_daemon:binder { call };
+
+# Add su to various domains
+net_domain(su)
+
+# grant su access to vndbinder
+vndbinder_use(su)
+
+allow phhsu_daemon toolbox_exec:file { read open execute_no_trans };
+allow phhsu_daemon untrusted_app_devpts:chr_file { getattr };
+allow phhsu_daemon zygote_exec:file { execute read open execute_no_trans getattr };
+
+allow phhsu_daemon phhsu_daemon:capability { setuid setgid dac_override chown};
+
+allow appdomain phhsu_daemon:dir { search };