diff options
| author | Luca Stefani <luca.stefani.ge1@gmail.com> | 2019-09-13 08:21:40 +0200 |
|---|---|---|
| committer | Luca Stefani <luca.stefani.ge1@gmail.com> | 2019-11-03 11:07:21 +0100 |
| commit | a3f0aa1d5bac0180a84549ea52e7b9752012140a (patch) | |
| tree | 0d0a4ee918128a4a846f475505e74f123db5f459 /common | |
| parent | 5ec4de459158817cb2e3dc5f40d97c8904c6b3de (diff) | |
| download | android_device_lineage_sepolicy-a3f0aa1d5bac0180a84549ea52e7b9752012140a.tar.gz android_device_lineage_sepolicy-a3f0aa1d5bac0180a84549ea52e7b9752012140a.tar.bz2 android_device_lineage_sepolicy-a3f0aa1d5bac0180a84549ea52e7b9752012140a.zip | |
Kill su and sudaemon
* They're being dropped
Change-Id: Id27a548c8210146835c02f718305160f68cd0212
Diffstat (limited to 'common')
| -rw-r--r-- | common/private/file_contexts | 3 | ||||
| -rw-r--r-- | common/private/su.te | 72 |
2 files changed, 0 insertions, 75 deletions
diff --git a/common/private/file_contexts b/common/private/file_contexts index 6fd8f38..12916df 100644 --- a/common/private/file_contexts +++ b/common/private/file_contexts @@ -17,6 +17,3 @@ /system/bin/backuptool_ab\.functions u:object_r:otapreopt_chroot_exec:s0 /system/bin/backuptool_ab\.sh u:object_r:otapreopt_chroot_exec:s0 /system/bin/backuptool_postinstall\.sh u:object_r:otapreopt_chroot_exec:s0 - -# Superuser's control sockets -/dev/socket/su-daemon(/.*)? u:object_r:superuser_device:s0 diff --git a/common/private/su.te b/common/private/su.te deleted file mode 100644 index 358e8bd..0000000 --- a/common/private/su.te +++ /dev/null @@ -1,72 +0,0 @@ -type superuser_device, file_type, mlstrustedobject; - -## Perms for the daemon - -userdebug_or_eng(` - domain_trans(init, su_exec, sudaemon) - - typeattribute sudaemon domain, coredomain, mlstrustedsubject; - - domain_trans(init, su_exec, sudaemon) - - type_transition sudaemon socket_device:sock_file superuser_device; - # The userspace app uses /dev sockets to control per-app access - allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink }; - allow sudaemon superuser_device:sock_file { create setattr unlink write }; - - # sudaemon is also permissive to permit setenforce. - permissive sudaemon; - - # Add sudaemon to various domains - net_domain(sudaemon) - app_domain(sudaemon) - - dontaudit sudaemon self:capability_class_set *; - dontaudit sudaemon kernel:security *; - dontaudit sudaemon kernel:system *; - dontaudit sudaemon self:memprotect *; - dontaudit sudaemon domain:process *; - dontaudit sudaemon domain:fd *; - dontaudit sudaemon domain:dir *; - dontaudit sudaemon domain:lnk_file *; - dontaudit sudaemon domain:{ fifo_file file } *; - dontaudit sudaemon domain:socket_class_set *; - dontaudit sudaemon domain:ipc_class_set *; - dontaudit sudaemon domain:key *; - dontaudit sudaemon fs_type:filesystem *; - dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *; - dontaudit sudaemon node_type:node *; - dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *; - dontaudit sudaemon netif_type:netif *; - dontaudit sudaemon port_type:socket_class_set *; - dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *; - dontaudit sudaemon domain:peer *; - dontaudit sudaemon domain:binder *; - dontaudit sudaemon property_type:property_service *; - dontaudit sudaemon appops_service:service_manager *; -') - -## Perms for the app - -userdebug_or_eng(` - # Translate user apps to the shell domain when using su - # - # PR_SET_NO_NEW_PRIVS blocks this :( - # we need to find a way to narrow this down to the actual exec. - # typealias shell alias suclient; - # domain_auto_trans(untrusted_app, su_exec, suclient) - - allow untrusted_app_all su_exec:file { execute_no_trans getattr open read execute }; - allow untrusted_app_all sudaemon:unix_stream_socket { connectto read write setopt ioctl }; - allow untrusted_app_all superuser_device:dir { r_dir_perms }; - allow untrusted_app_all superuser_device:sock_file { write }; - - # For Settings control of access - allow system_app superuser_device:sock_file { read write create setattr unlink getattr }; - allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl }; - allow system_app superuser_device:dir { create rw_dir_perms setattr unlink }; - - allow kernel sudaemon:fd { use }; -') - -neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -untrusted_app_all -init -sudaemon') } su_exec:file no_x_file_perms; |