common/public/su.te - LeafOS-Project/android_device_lineage_sepolicy - Gitiles

 type superuser_device, file_type, mlstrustedobject;

 ## Perms for the daemon

 userdebug_or_eng(`
   typeattribute sudaemon domain, mlstrustedsubject;

   # The userspace app uses /dev sockets to control per-app access
   allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
   allow sudaemon superuser_device:sock_file { create setattr unlink write };

   # Add sudaemon to various domains
   net_domain(sudaemon)

   dontaudit sudaemon self:capability_class_set *;
   dontaudit sudaemon kernel:security *;
   dontaudit sudaemon kernel:system *;
   dontaudit sudaemon self:memprotect *;
   dontaudit sudaemon domain:process *;
   dontaudit sudaemon domain:fd *;
   dontaudit sudaemon domain:dir *;
   dontaudit sudaemon domain:lnk_file *;
   dontaudit sudaemon domain:{ fifo_file file } *;
   dontaudit sudaemon domain:socket_class_set *;
   dontaudit sudaemon domain:ipc_class_set *;
   dontaudit sudaemon domain:key *;
   dontaudit sudaemon fs_type:filesystem *;
   dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
   dontaudit sudaemon node_type:node *;
   dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
   dontaudit sudaemon netif_type:netif *;
   dontaudit sudaemon port_type:socket_class_set *;
   dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
   dontaudit sudaemon domain:peer *;
   dontaudit sudaemon domain:binder *;
   dontaudit sudaemon property_type:property_service *;
   dontaudit sudaemon appops_service:service_manager *;
 ')

 ## Perms for the app

 userdebug_or_eng(`
   # Translate user apps to the shell domain when using su
   #
   # PR_SET_NO_NEW_PRIVS blocks this :(
   # we need to find a way to narrow this down to the actual exec.
   # typealias shell alias suclient;
   # domain_auto_trans(untrusted_app, su_exec, suclient)

   allow untrusted_app_all su_exec:file { execute_no_trans getattr open read execute };
   allow untrusted_app_all sudaemon:unix_stream_socket { connectto read write setopt ioctl };
   allow untrusted_app_all superuser_device:dir { r_dir_perms };
   allow untrusted_app_all superuser_device:sock_file { write };

   # For Settings control of access
   allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
   allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
   allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };

   allow kernel sudaemon:fd { use };
 ')

 neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -untrusted_app_all -init -sudaemon') } su_exec:file no_x_file_perms;
	type superuser_device, file_type, mlstrustedobject;

	## Perms for the daemon

	userdebug_or_eng(`
	typeattribute sudaemon domain, mlstrustedsubject;

	# The userspace app uses /dev sockets to control per-app access
	allow sudaemon superuser_device:dir { create rw_dir_perms setattr unlink };
	allow sudaemon superuser_device:sock_file { create setattr unlink write };

	# Add sudaemon to various domains
	net_domain(sudaemon)

	dontaudit sudaemon self:capability_class_set *;
	dontaudit sudaemon kernel:security *;
	dontaudit sudaemon kernel:system *;
	dontaudit sudaemon self:memprotect *;
	dontaudit sudaemon domain:process *;
	dontaudit sudaemon domain:fd *;
	dontaudit sudaemon domain:dir *;
	dontaudit sudaemon domain:lnk_file *;
	dontaudit sudaemon domain:{ fifo_file file } *;
	dontaudit sudaemon domain:socket_class_set *;
	dontaudit sudaemon domain:ipc_class_set *;
	dontaudit sudaemon domain:key *;
	dontaudit sudaemon fs_type:filesystem *;
	dontaudit sudaemon {fs_type dev_type file_type}:dir_file_class_set *;
	dontaudit sudaemon node_type:node *;
	dontaudit sudaemon node_type:{ tcp_socket udp_socket rawip_socket } *;
	dontaudit sudaemon netif_type:netif *;
	dontaudit sudaemon port_type:socket_class_set *;
	dontaudit sudaemon port_type:{ tcp_socket dccp_socket } *;
	dontaudit sudaemon domain:peer *;
	dontaudit sudaemon domain:binder *;
	dontaudit sudaemon property_type:property_service *;
	dontaudit sudaemon appops_service:service_manager *;
	')

	## Perms for the app

	userdebug_or_eng(`
	# Translate user apps to the shell domain when using su
	#
	# PR_SET_NO_NEW_PRIVS blocks this :(
	# we need to find a way to narrow this down to the actual exec.
	# typealias shell alias suclient;
	# domain_auto_trans(untrusted_app, su_exec, suclient)

	allow untrusted_app_all su_exec:file { execute_no_trans getattr open read execute };
	allow untrusted_app_all sudaemon:unix_stream_socket { connectto read write setopt ioctl };
	allow untrusted_app_all superuser_device:dir { r_dir_perms };
	allow untrusted_app_all superuser_device:sock_file { write };

	# For Settings control of access
	allow system_app superuser_device:sock_file { read write create setattr unlink getattr };
	allow system_app sudaemon:unix_stream_socket { connectto read write setopt ioctl };
	allow system_app superuser_device:dir { create rw_dir_perms setattr unlink };

	allow kernel sudaemon:fd { use };
	')

	neverallow { domain userdebug_or_eng(`-dumpstate -shell -su -untrusted_app_all -init -sudaemon') } su_exec:file no_x_file_perms;