blob: 473386bc41cd40a699cd925e0aedf3046201edea (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
type superuser_device, file_type, mlstrustedobject;
## Perms for the daemon
userdebug_or_eng(`
domain_trans(init, su_exec, sudaemon)
typeattribute sudaemon domain, mlstrustedsubject;
type_transition sudaemon socket_device:sock_file superuser_device;
# The userspace app uses /dev sockets to control per-app access
allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
allow sudaemon superuser_device:sock_file { create setattr unlink write };
# sudaemon is also permissive to permit setenforce.
permissive sudaemon;
# Add sudaemon to various domains
net_domain(sudaemon)
app_domain(sudaemon)
dontaudit sudaemon self:capability_class_set *;
dontaudit sudaemon kernel:security *;
dontaudit sudaemon kernel:system *;
dontaudit sudaemon self:memprotect *;
dontaudit sudaemon domain:process *;
dontaudit sudaemon domain:fd *;
dontaudit sudaemon domain:dir *;
dontaudit sudaemon domain:lnk_file *;
dontaudit sudaemon domain:{ fifo_file file } *;
dontaudit sudaemon domain:socket_class_set *;
dontaudit sudaemon domain:ipc_class_set *;
dontaudit sudaemon domain:key *;
dontaudit sudaemon fs_type:filesystem *;
dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
dontaudit sudaemon node_type:node *;
dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
dontaudit sudaemon netif_type:netif *;
dontaudit sudaemon port_type:socket_class_set *;
dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
dontaudit sudaemon domain:peer *;
dontaudit sudaemon domain:binder *;
dontaudit sudaemon property_type:property_service *;
dontaudit sudaemon appops_service:service_manager *;
')
## Perms for the app
userdebug_or_eng(`
# Translate user apps to the shell domain when using su
#
# PR_SET_NO_NEW_PRIVS blocks this :(
# we need to find a way to narrow this down to the actual exec.
# typealias shell alias suclient;
# domain_auto_trans(untrusted_app, su_exec, suclient)
allow untrusted_app su_exec:file { execute_no_trans getattr open read execute };
allow untrusted_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
allow untrusted_app superuser_device:dir { r_dir_perms };
allow untrusted_app superuser_device:sock_file { write };
# For Settings control of access
allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };
allow kernel sudaemon:fd { use };
')
|
