Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 1 | # File types must be defined for file_contexts. |
Stephen Smalley | 0130154 | 2013-09-27 10:38:14 -0400 | [diff] [blame] | 2 | type su_exec, exec_type, file_type; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 3 | |
Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 4 | userdebug_or_eng(` |
Stephen Smalley | b3cb969 | 2014-02-21 13:45:29 -0500 | [diff] [blame] | 5 | # Domain used for su processes, as well as for adbd and adb shell |
| 6 | # after performing an adb root command. The domain definition is |
| 7 | # wrapped to ensure that it does not exist at all on -user builds. |
Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 8 | type su, domain; |
| 9 | domain_auto_trans(shell, su_exec, su) |
Nick Kralevich | 09e6abd | 2013-12-13 22:19:45 -0800 | [diff] [blame] | 10 | |
Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 11 | # Allow dumpstate to call su on userdebug / eng builds to collect |
| 12 | # additional information. |
| 13 | domain_auto_trans(dumpstate, su_exec, su) |
Stephen Smalley | d99e6d5 | 2013-12-02 14:18:11 -0500 | [diff] [blame] | 14 | |
Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 15 | # su is also permissive to permit setenforce. |
| 16 | permissive su; |
Sreeram Ramachandran | bc32018 | 2014-05-02 14:50:26 -0700 | [diff] [blame] | 17 | |
Nick Kralevich | caf347b | 2014-07-12 12:46:58 -0700 | [diff] [blame] | 18 | # Add su to various domains |
Sreeram Ramachandran | bc32018 | 2014-05-02 14:50:26 -0700 | [diff] [blame] | 19 | net_domain(su) |
Nick Kralevich | caf347b | 2014-07-12 12:46:58 -0700 | [diff] [blame] | 20 | app_domain(su) |
Nick Kralevich | af7deff | 2014-05-27 15:46:39 -0700 | [diff] [blame] | 21 | |
| 22 | dontaudit su self:capability_class_set *; |
| 23 | dontaudit su kernel:security *; |
| 24 | dontaudit su kernel:system *; |
| 25 | dontaudit su self:memprotect *; |
| 26 | dontaudit su domain:process *; |
| 27 | dontaudit su domain:fd *; |
| 28 | dontaudit su domain:dir *; |
| 29 | dontaudit su domain:lnk_file *; |
| 30 | dontaudit su domain:{ fifo_file file } *; |
| 31 | dontaudit su domain:socket_class_set *; |
| 32 | dontaudit su domain:ipc_class_set *; |
| 33 | dontaudit su domain:key *; |
| 34 | dontaudit su fs_type:filesystem *; |
| 35 | dontaudit su {fs_type dev_type file_type}:dir_file_class_set *; |
| 36 | dontaudit su node_type:node *; |
| 37 | dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *; |
| 38 | dontaudit su netif_type:netif *; |
| 39 | dontaudit su port_type:socket_class_set *; |
| 40 | dontaudit su port_type:{ tcp_socket dccp_socket } *; |
| 41 | dontaudit su domain:peer *; |
| 42 | dontaudit su domain:binder *; |
| 43 | dontaudit su property_type:property_service *; |
Nick Kralevich | 88ce951 | 2014-01-09 15:25:36 -0800 | [diff] [blame] | 44 | ') |