Gitiles
Code Review Sign In
review.blissroms.org / platform_vendor_bliss / refs/heads/mm6.0-backup / . / sepolicy / su.te
blob: 9b7d0984d137e76a67a92e986ca9a4679fc7e751 [file] [log] [blame]
Ricardo Cerqueirab3dce3f2014-11-26 21:34:15 +0000[diff] [blame]1type superuser_device, file_type;
2
3## Perms for the daemon
4
Ricardo Cerqueirab3dce3f2014-11-26 21:34:15 +0000[diff] [blame]5userdebug_or_eng(`
6 domain_trans(init, su_exec, sudaemon)
Ricardo Cerqueira51ecbf72014-12-16 19:27:32 +0000[diff] [blame]7
8 type_transition sudaemon socket_device:sock_file superuser_device;
Ricardo Cerqueirab3dce3f2014-11-26 21:34:15 +0000[diff] [blame]9 # The userspace app uses /dev sockets to control per-app access
10 allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
11 allow sudaemon superuser_device:sock_file { create setattr unlink write };
12
13 # sudaemon is also permissive to permit setenforce.
14 permissive sudaemon;
15
16 # Add sudaemon to various domains
17 net_domain(sudaemon)
18 app_domain(sudaemon)
19
20 dontaudit sudaemon self:capability_class_set *;
21 dontaudit sudaemon kernel:security *;
22 dontaudit sudaemon kernel:system *;
23 dontaudit sudaemon self:memprotect *;
24 dontaudit sudaemon domain:process *;
25 dontaudit sudaemon domain:fd *;
26 dontaudit sudaemon domain:dir *;
27 dontaudit sudaemon domain:lnk_file *;
28 dontaudit sudaemon domain:{ fifo_file file } *;
29 dontaudit sudaemon domain:socket_class_set *;
30 dontaudit sudaemon domain:ipc_class_set *;
31 dontaudit sudaemon domain:key *;
32 dontaudit sudaemon fs_type:filesystem *;
33 dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
34 dontaudit sudaemon node_type:node *;
35 dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
36 dontaudit sudaemon netif_type:netif *;
37 dontaudit sudaemon port_type:socket_class_set *;
38 dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
39 dontaudit sudaemon domain:peer *;
40 dontaudit sudaemon domain:binder *;
41 dontaudit sudaemon property_type:property_service *;
42')
43
44## Perms for the app
45
46userdebug_or_eng(`
Lars Greiss68266e62014-12-10 20:45:38 +0100[diff] [blame]47 # Translate user apps to the shell domain when using su
Ricardo Cerqueirad2af1612014-12-10 20:28:57 +0000[diff] [blame]48 #
49 # PR_SET_NO_NEW_PRIVS blocks this :(
50 # we need to find a way to narrow this down to the actual exec.
51 # typealias shell alias suclient;
52 # domain_auto_trans(untrusted_app, su_exec, suclient)
Ricardo Cerqueirab3dce3f2014-11-26 21:34:15 +0000[diff] [blame]53
Ricardo Cerqueirad2af1612014-12-10 20:28:57 +0000[diff] [blame]54 allow untrusted_app su_exec:file { execute_no_trans getattr open read execute };
55 allow untrusted_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
56 allow untrusted_app superuser_device:dir { r_dir_perms };
57 allow untrusted_app superuser_device:sock_file { write };
Ricardo Cerqueirab3dce3f2014-11-26 21:34:15 +0000[diff] [blame]58
Ricardo Cerqueirad2af1612014-12-10 20:28:57 +0000[diff] [blame]59
Chirayu Desai97b2e182014-11-27 21:00:01 +0530[diff] [blame]60 # For Settings control of access
Ricardo Cerqueirab3dce3f2014-11-26 21:34:15 +0000[diff] [blame]61 allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
62 allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
63 allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
Ricardo Cerqueirab3dce3f2014-11-26 21:34:15 +0000[diff] [blame]64')