sepolicy/su.te - platform_vendor_bliss - Gitiles

 type superuser_device, file_type;

 ## Perms for the daemon

 type sudaemon, domain;

 userdebug_or_eng(`
   domain_trans(init, su_exec, sudaemon)
   # The userspace app uses /dev sockets to control per-app access
   allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
   allow sudaemon superuser_device:sock_file { create setattr unlink write };

   # sudaemon is also permissive to permit setenforce.
   permissive sudaemon;

   # Add sudaemon to various domains
   net_domain(sudaemon)
   app_domain(sudaemon)

   dontaudit sudaemon self:capability_class_set *;
   dontaudit sudaemon kernel:security *;
   dontaudit sudaemon kernel:system *;
   dontaudit sudaemon self:memprotect *;
   dontaudit sudaemon domain:process *;
   dontaudit sudaemon domain:fd *;
   dontaudit sudaemon domain:dir *;
   dontaudit sudaemon domain:lnk_file *;
   dontaudit sudaemon domain:{ fifo_file file } *;
   dontaudit sudaemon domain:socket_class_set *;
   dontaudit sudaemon domain:ipc_class_set *;
   dontaudit sudaemon domain:key *;
   dontaudit sudaemon fs_type:filesystem *;
   dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
   dontaudit sudaemon node_type:node *;
   dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
   dontaudit sudaemon netif_type:netif *;
   dontaudit sudaemon port_type:socket_class_set *;
   dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
   dontaudit sudaemon domain:peer *;
   dontaudit sudaemon domain:binder *;
   dontaudit sudaemon property_type:property_service *;
 ')

 ## Perms for the app

 userdebug_or_eng(`
   typealias shell alias suclient;

   # Translate user and platform apps to the shell domain when using su
   domain_auto_trans(untrusted_app, su_exec, suclient)
   domain_auto_trans(platform_app, su_exec, suclient)

   allow suclient sudaemon:unix_stream_socket { connectto read write setopt ioctl };

   allow suclient superuser_device:dir { create rw_dir_perms setattr unlink };
   allow suclient superuser_device:sock_file { create setattr unlink write };
   allow suclient untrusted_app_devpts:chr_file { read write ioctl };
   # For Settings control of access
   allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
   allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
   allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };

   ## From external/sepolicy/domain.te adjusted from sudaemon
   # Same as adbd rules above, except allow su to do the same thing
   allow domain sudaemon:unix_stream_socket connectto;
   allow domain sudaemon:fd use;
   allow domain sudaemon:unix_stream_socket { getattr getopt read write shutdown };
   binder_call(domain, sudaemon)
   # Running something like "pm dump com.android.bluetooth" requires
   # fifo writes
   allow domain sudaemon:fifo_file { write getattr };
   # allow "gdbserver --attach" to work for su.
   allow domain sudaemon:process sigchld;
 ')
	type superuser_device, file_type;

	## Perms for the daemon

	type sudaemon, domain;

	userdebug_or_eng(`
	domain_trans(init, su_exec, sudaemon)
	# The userspace app uses /dev sockets to control per-app access
	allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
	allow sudaemon superuser_device:sock_file { create setattr unlink write };

	# sudaemon is also permissive to permit setenforce.
	permissive sudaemon;

	# Add sudaemon to various domains
	net_domain(sudaemon)
	app_domain(sudaemon)

	dontaudit sudaemon self:capability_class_set *;
	dontaudit sudaemon kernel:security *;
	dontaudit sudaemon kernel:system *;
	dontaudit sudaemon self:memprotect *;
	dontaudit sudaemon domain:process *;
	dontaudit sudaemon domain:fd *;
	dontaudit sudaemon domain:dir *;
	dontaudit sudaemon domain:lnk_file *;
	dontaudit sudaemon domain:{ fifo_file file } *;
	dontaudit sudaemon domain:socket_class_set *;
	dontaudit sudaemon domain:ipc_class_set *;
	dontaudit sudaemon domain:key *;
	dontaudit sudaemon fs_type:filesystem *;
	dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
	dontaudit sudaemon node_type:node *;
	dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
	dontaudit sudaemon netif_type:netif *;
	dontaudit sudaemon port_type:socket_class_set *;
	dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
	dontaudit sudaemon domain:peer *;
	dontaudit sudaemon domain:binder *;
	dontaudit sudaemon property_type:property_service *;
	')

	## Perms for the app

	userdebug_or_eng(`
	typealias shell alias suclient;

	# Translate user and platform apps to the shell domain when using su
	domain_auto_trans(untrusted_app, su_exec, suclient)
	domain_auto_trans(platform_app, su_exec, suclient)

	allow suclient sudaemon:unix_stream_socket { connectto read write setopt ioctl };

	allow suclient superuser_device:dir { create rw_dir_perms setattr unlink };
	allow suclient superuser_device:sock_file { create setattr unlink write };
	allow suclient untrusted_app_devpts:chr_file { read write ioctl };
	# For Settings control of access
	allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
	allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
	allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };

	## From external/sepolicy/domain.te adjusted from sudaemon
	# Same as adbd rules above, except allow su to do the same thing
	allow domain sudaemon:unix_stream_socket connectto;
	allow domain sudaemon:fd use;
	allow domain sudaemon:unix_stream_socket { getattr getopt read write shutdown };
	binder_call(domain, sudaemon)
	# Running something like "pm dump com.android.bluetooth" requires
	# fifo writes
	allow domain sudaemon:fifo_file { write getattr };
	# allow "gdbserver --attach" to work for su.
	allow domain sudaemon:process sigchld;
	')