Make su 04750 Currently, /system/xbin/su is world executable. Prior to SELinux enforcement, anyone (including third party apps) could run su. The su code itself checks to see if the calling UID is root or shell. Rather than relying on enforcement within the su binary, modify the binary so it has group=shell, and remove world-execute permission. This helps avoid some annoying SELinux denial messages as third party apps call su on userdebug/eng builds. Change-Id: I61c9231bb7e201d14ee3a5b6fe81b3fa7b12599f

commit: c3df8d756291b5258c21335e1266efb941fd7d0a [log] [tgz]
author: Nick Kralevich <nnk@google.com> Sun Jun 08 15:14:42 2014 -0700
committer: Nick Kralevich <nnk@google.com> Sun Jun 08 15:14:42 2014 -0700
tree: e054504d6b554f4abbcce509c91f645faed2453a
parent: 3013615077bbf1ccedaef59181f5e96062ad479a [diff]
diff --git a/include/private/android_filesystem_config.h b/include/private/android_filesystem_config.h
index 03b3506..d8e938e 100644
--- a/include/private/android_filesystem_config.h
+++ b/include/private/android_filesystem_config.h

@@ -244,7 +244,7 @@
 
     /* the following five files are INTENTIONALLY set-uid, but they
      * are NOT included on user builds. */
-    { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/su" },
+    { 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/librank" },
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procrank" },
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },
commit	c3df8d756291b5258c21335e1266efb941fd7d0a	[log] [tgz]
author	Nick Kralevich <nnk@google.com>	Sun Jun 08 15:14:42 2014 -0700
committer	Nick Kralevich <nnk@google.com>	Sun Jun 08 15:14:42 2014 -0700
tree	e054504d6b554f4abbcce509c91f645faed2453a
parent	3013615077bbf1ccedaef59181f5e96062ad479a [diff]