| userdebug_or_eng(` |
| typeattribute su coredomain; |
| |
| domain_auto_trans(shell, su_exec, su) |
| # Allow dumpstate to call su on userdebug / eng builds to collect |
| # additional information. |
| domain_auto_trans(dumpstate, su_exec, su) |
| |
| # Make sure that dumpstate runs the same from the "su" domain as |
| # from the "init" domain. |
| domain_auto_trans(su, dumpstate_exec, dumpstate) |
| |
| # Put the incident command into its domain so it is the same on user, userdebug and eng. |
| domain_auto_trans(su, incident_exec, incident) |
| |
| # Put the odrefresh command into its domain. |
| domain_auto_trans(su, odrefresh_exec, odrefresh) |
| |
| # Put the perfetto command into its domain so it is the same on user, userdebug and eng. |
| domain_auto_trans(su, perfetto_exec, perfetto) |
| |
| # Put the virtmgr command into its domain. |
| domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager) |
| |
| # su is also permissive to permit setenforce. |
| permissive su; |
| |
| app_domain(su) |
| |
| # Do not audit accesses to keystore2 namespace for the su domain. |
| dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *; |
| |
| # Allow root to set MTE permissive mode. |
| set_prop(su, permissive_mte_prop); |
| ') |