Gitiles
Code Review Sign In
review.blissroms.org / platform_vendor_bliss / 02cf7d8d49e43384b24ebc4dac7d44ca286ce2e6 / . / sepolicy / su.te
blob: 1a2a2b3d121b55f1ddd8d236f975342926bd1808 [file] [log] [blame]
myfluxi85017712015-11-05 22:50:08 +0100[diff] [blame]1type superuser_device, file_type, mlstrustedobject;
Ricardo Cerqueira09159ac2014-11-26 21:34:15 +0000[diff] [blame]2
3## Perms for the daemon
4
Ricardo Cerqueira09159ac2014-11-26 21:34:15 +0000[diff] [blame]5userdebug_or_eng(`
6 domain_trans(init, su_exec, sudaemon)
Ricardo Cerqueiraa7dfa182014-12-16 19:27:32 +0000[diff] [blame]7
myfluxi85017712015-11-05 22:50:08 +0100[diff] [blame]8 typeattribute sudaemon domain, mlstrustedsubject;
9
Ricardo Cerqueiraa7dfa182014-12-16 19:27:32 +0000[diff] [blame]10 type_transition sudaemon socket_device:sock_file superuser_device;
Ricardo Cerqueira09159ac2014-11-26 21:34:15 +0000[diff] [blame]11 # The userspace app uses /dev sockets to control per-app access
12 allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
13 allow sudaemon superuser_device:sock_file { create setattr unlink write };
14
15 # sudaemon is also permissive to permit setenforce.
16 permissive sudaemon;
17
18 # Add sudaemon to various domains
19 net_domain(sudaemon)
20 app_domain(sudaemon)
21
22 dontaudit sudaemon self:capability_class_set *;
23 dontaudit sudaemon kernel:security *;
24 dontaudit sudaemon kernel:system *;
25 dontaudit sudaemon self:memprotect *;
26 dontaudit sudaemon domain:process *;
27 dontaudit sudaemon domain:fd *;
28 dontaudit sudaemon domain:dir *;
29 dontaudit sudaemon domain:lnk_file *;
30 dontaudit sudaemon domain:{ fifo_file file } *;
31 dontaudit sudaemon domain:socket_class_set *;
32 dontaudit sudaemon domain:ipc_class_set *;
33 dontaudit sudaemon domain:key *;
34 dontaudit sudaemon fs_type:filesystem *;
35 dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
36 dontaudit sudaemon node_type:node *;
37 dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
38 dontaudit sudaemon netif_type:netif *;
39 dontaudit sudaemon port_type:socket_class_set *;
40 dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
41 dontaudit sudaemon domain:peer *;
42 dontaudit sudaemon domain:binder *;
43 dontaudit sudaemon property_type:property_service *;
codeworkx01490ef2015-11-20 20:38:25 +0100[diff] [blame]44 dontaudit sudaemon appops_service:service_manager *;
Ricardo Cerqueira09159ac2014-11-26 21:34:15 +0000[diff] [blame]45')
46
47## Perms for the app
48
49userdebug_or_eng(`
Ricardo Cerqueira7cd69832014-12-10 17:17:18 +0000[diff] [blame]50 # Translate user apps to the shell domain when using su
Ricardo Cerqueira4df29e02014-12-10 20:28:57 +0000[diff] [blame]51 #
52 # PR_SET_NO_NEW_PRIVS blocks this :(
53 # we need to find a way to narrow this down to the actual exec.
54 # typealias shell alias suclient;
55 # domain_auto_trans(untrusted_app, su_exec, suclient)
Ricardo Cerqueira09159ac2014-11-26 21:34:15 +0000[diff] [blame]56
Ricardo Cerqueira4df29e02014-12-10 20:28:57 +0000[diff] [blame]57 allow untrusted_app su_exec:file { execute_no_trans getattr open read execute };
58 allow untrusted_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
59 allow untrusted_app superuser_device:dir { r_dir_perms };
60 allow untrusted_app superuser_device:sock_file { write };
Ricardo Cerqueira09159ac2014-11-26 21:34:15 +0000[diff] [blame]61
Ricardo Cerqueira4df29e02014-12-10 20:28:57 +0000[diff] [blame]62
Chirayu Desai9e0dba32014-11-27 21:00:01 +0530[diff] [blame]63 # For Settings control of access
Ricardo Cerqueira09159ac2014-11-26 21:34:15 +0000[diff] [blame]64 allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
65 allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
66 allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
FrozenCowec0322e2016-01-11 23:10:47 +0100[diff] [blame]67
68 allow kernel sudaemon:fd { use };
Steve Kondikaa38b562016-08-26 02:31:15 -0700[diff] [blame]69
Ricardo Cerqueira09159ac2014-11-26 21:34:15 +0000[diff] [blame]70')
Steve Kondikaa38b562016-08-26 02:31:15 -0700[diff] [blame]71
72neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -untrusted_app -init -sudaemon') } su_exec:file no_x_file_perms;