FP2-1752: Add selinux policies for SU daemon
Change-Id: I91807d1412a6ce025b3f94368c695cfcc09ce4ad
diff --git a/Android.mk b/Android.mk
new file mode 100755
index 0000000..cdbe311
--- /dev/null
+++ b/Android.mk
@@ -0,0 +1,7 @@
+# Fairphone specific SELinux policy variable definitions
+BOARD_SEPOLICY_DIRS += \
+ device/fairphone_devices/sepolicy
+
+BOARD_SEPOLICY_UNION += \
+ file_contexts \
+ su.te
diff --git a/file_contexts b/file_contexts
new file mode 100644
index 0000000..4d3d938
--- /dev/null
+++ b/file_contexts
@@ -0,0 +1,4 @@
+#############
+# Superuser's control sockets
+/dev/socket/su-daemon(/.*)? u:object_r:superuser_device:s0
+
diff --git a/su.te b/su.te
new file mode 100644
index 0000000..c2c68fd
--- /dev/null
+++ b/su.te
@@ -0,0 +1,66 @@
+type superuser_device, file_type;
+
+## Perms for the daemon
+
+type sudaemon, domain;
+
+userdebug_or_eng(`
+ domain_trans(init, su_exec, sudaemon)
+
+ type_transition sudaemon socket_device:sock_file superuser_device;
+ # The userspace app uses /dev sockets to control per-app access
+ allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
+ allow sudaemon superuser_device:sock_file { create setattr unlink write };
+
+ # sudaemon is also permissive to permit setenforce.
+ permissive sudaemon;
+
+ # Add sudaemon to various domains
+ net_domain(sudaemon)
+ app_domain(sudaemon)
+
+ dontaudit sudaemon self:capability_class_set *;
+ dontaudit sudaemon kernel:security *;
+ dontaudit sudaemon kernel:system *;
+ dontaudit sudaemon self:memprotect *;
+ dontaudit sudaemon domain:process *;
+ dontaudit sudaemon domain:fd *;
+ dontaudit sudaemon domain:dir *;
+ dontaudit sudaemon domain:lnk_file *;
+ dontaudit sudaemon domain:{ fifo_file file } *;
+ dontaudit sudaemon domain:socket_class_set *;
+ dontaudit sudaemon domain:ipc_class_set *;
+ dontaudit sudaemon domain:key *;
+ dontaudit sudaemon fs_type:filesystem *;
+ dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
+ dontaudit sudaemon node_type:node *;
+ dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
+ dontaudit sudaemon netif_type:netif *;
+ dontaudit sudaemon port_type:socket_class_set *;
+ dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
+ dontaudit sudaemon domain:peer *;
+ dontaudit sudaemon domain:binder *;
+ dontaudit sudaemon property_type:property_service *;
+')
+
+## Perms for the app
+
+userdebug_or_eng(`
+ # Translate user apps to the shell domain when using su
+ #
+ # PR_SET_NO_NEW_PRIVS blocks this :(
+ # we need to find a way to narrow this down to the actual exec.
+ # typealias shell alias suclient;
+ # domain_auto_trans(untrusted_app, su_exec, suclient)
+
+ allow untrusted_app su_exec:file { execute_no_trans getattr open read execute };
+ allow untrusted_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
+ allow untrusted_app superuser_device:dir { r_dir_perms };
+ allow untrusted_app superuser_device:sock_file { write };
+
+
+ # For Settings control of access
+ allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
+ allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
+ allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
+')