selinux: Workaround for devices with PR_SET_NO_NEW_PRIVS enforcement
PR_SET_NO_NEW_PRIVS blocks domain transitions from within app_process,
unless the new domain is bounded by the app's context. So we can't
switch to a domain that has perms not available to untrusted_app :(
This means any app can talk to the daemon, bypassing the su executable
client. That's not a good thing, and needs to be resolved.
Change-Id: I85b74f90b8737caaa193a0555b5262e7392519b2
diff --git a/sepolicy/su.te b/sepolicy/su.te
index 76e4176..8e63b2f 100644
--- a/sepolicy/su.te
+++ b/sepolicy/su.te
@@ -44,16 +44,19 @@
## Perms for the app
userdebug_or_eng(`
- typealias shell alias suclient;
-
# Translate user apps to the shell domain when using su
- domain_auto_trans(untrusted_app, su_exec, suclient)
+ #
+ # PR_SET_NO_NEW_PRIVS blocks this :(
+ # we need to find a way to narrow this down to the actual exec.
+ # typealias shell alias suclient;
+ # domain_auto_trans(untrusted_app, su_exec, suclient)
- allow suclient sudaemon:unix_stream_socket { connectto read write setopt ioctl };
+ allow untrusted_app su_exec:file { execute_no_trans getattr open read execute };
+ allow untrusted_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
+ allow untrusted_app superuser_device:dir { r_dir_perms };
+ allow untrusted_app superuser_device:sock_file { write };
- allow suclient superuser_device:dir { create rw_dir_perms setattr unlink };
- allow suclient superuser_device:sock_file { create setattr unlink write };
- allow suclient untrusted_app_devpts:chr_file { read write ioctl };
+
# For Settings control of access
allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };