Gitiles
Code Review Sign In
LeafOS / LeafOS-Project / android_system_sepolicy / 96c69d6c758a4487091efc9820f3616c873ff266^! / .
commit96c69d6c758a4487091efc9820f3616c873ff266[log] [tgz]
authorAlexander Winkowski <dereference23@outlook.com>Wed Jan 03 13:41:33 2024 +0000
committerTim Zimmermann <tim@linux4.de>Tue Mar 05 06:58:45 2024 +0100
tree5a5ee7789cacb6355837ebf172dab4f6197d3ae6
parent496c1cf20dd34392f1728d1ed21440138e9e102c [diff]
Allow adb root on user builds

Change-Id: I90c5e19a67a194488002a4f442c01af6fe36aa05

diff --git a/prebuilts/api/34.0/private/adbd.te b/prebuilts/api/34.0/private/adbd.te
index 4360541..dccdd60 100644
--- a/prebuilts/api/34.0/private/adbd.te
+++ b/prebuilts/api/34.0/private/adbd.te

@@ -7,10 +7,8 @@
 
 domain_auto_trans(adbd, shell_exec, shell)
 
-userdebug_or_eng(`
-  allow adbd self:process setcurrent;
-  allow adbd su:process dyntransition;
-')
+allow adbd self:process setcurrent;
+allow adbd su:process dyntransition;
 
 # When 'adb shell' is executed in recovery mode, adbd explicitly
 # switches into shell domain using setcon() because the shell executable
@@ -232,7 +230,6 @@
 ###
 
 # No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
+# transitions to the shell domain (except when it crashes).
 neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
+neverallow adbd { domain -su recovery_only(`-shell') }:process dyntransition;

diff --git a/private/adbd.te b/private/adbd.te
index 4360541..dccdd60 100644
--- a/private/adbd.te
+++ b/private/adbd.te

@@ -7,10 +7,8 @@
 
 domain_auto_trans(adbd, shell_exec, shell)
 
-userdebug_or_eng(`
-  allow adbd self:process setcurrent;
-  allow adbd su:process dyntransition;
-')
+allow adbd self:process setcurrent;
+allow adbd su:process dyntransition;
 
 # When 'adb shell' is executed in recovery mode, adbd explicitly
 # switches into shell domain using setcon() because the shell executable
@@ -232,7 +230,6 @@
 ###
 
 # No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
+# transitions to the shell domain (except when it crashes).
 neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
+neverallow adbd { domain -su recovery_only(`-shell') }:process dyntransition;