SELinux: su: update policies
- Integrate policies from domain.te (fixes ES File Manager which uses unix socket)
- Allow platform_app to use su (fixes CM File Manager)
Change-Id: I39dd55e63b44590575bbe6d889c8d77141ba8545
diff --git a/sepolicy/su.te b/sepolicy/su.te
index 76e4176..6b4b631 100644
--- a/sepolicy/su.te
+++ b/sepolicy/su.te
@@ -46,8 +46,9 @@
userdebug_or_eng(`
typealias shell alias suclient;
- # Translate user apps to the shell domain when using su
+ # Translate user and platform apps to the shell domain when using su
domain_auto_trans(untrusted_app, su_exec, suclient)
+ domain_auto_trans(platform_app, su_exec, suclient)
allow suclient sudaemon:unix_stream_socket { connectto read write setopt ioctl };
@@ -58,4 +59,16 @@
allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
+
+ ## From external/sepolicy/domain.te adjusted from sudaemon
+ # Same as adbd rules above, except allow su to do the same thing
+ allow domain sudaemon:unix_stream_socket connectto;
+ allow domain sudaemon:fd use;
+ allow domain sudaemon:unix_stream_socket { getattr getopt read write shutdown };
+ binder_call(domain, sudaemon)
+ # Running something like "pm dump com.android.bluetooth" requires
+ # fifo writes
+ allow domain sudaemon:fifo_file { write getattr };
+ # allow "gdbserver --attach" to work for su.
+ allow domain sudaemon:process sigchld;
')