commit 85017716079d2646cb29b8a3c5538ac1ccaf5cb3
author myfluxi <linflux@arcor.de> Thu Nov 05 22:50:08 2015 +0100
committer myfluxi <linflux@arcor.de> Thu Nov 05 23:53:50 2015 +0100
tree 1dd23d9859b2fb3896f99fd834168ab2de01e01b
parent 48f0b94fff0fa09a203107844973e7972f720147

sepolicy: Make superuser_device and sudaemon mlstrustedobjects

Address:
avc: denied { write } for pid=8782 comm="su" name="su-daemon" dev="tmpfs" ino=9462
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:superuser_device:s0
tclass=sock_file permissive=0

avc: denied { connectto } for pid=6666 comm="su" path="/dev/socket/su-daemon/su-daemon"
scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:r:sudaemon:s0
tclass=unix_stream_socket permissive=0

And thus fix su.

Change-Id: I666277067c5ff9f2a985c243075c63fd87090b27

sepolicy/su.te

diff --git a/sepolicy/su.te b/sepolicy/su.te
index 9b7d098..4e34dc9 100644
--- a/sepolicy/su.te
+++ b/sepolicy/su.te
@@ -1,10 +1,12 @@
-type superuser_device, file_type;
+type superuser_device, file_type, mlstrustedobject;
 
 ## Perms for the daemon
 
 userdebug_or_eng(`
   domain_trans(init, su_exec, sudaemon)
 
+  typeattribute sudaemon domain, mlstrustedsubject;
+
   type_transition sudaemon socket_device:sock_file superuser_device;
   # The userspace app uses /dev sockets to control per-app access
   allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };