1# File types must be defined for file_contexts. 2type su_exec, exec_type, file_type; 3 4userdebug_or_eng(` 5 # Domain used for su processes, as well as for adbd and adb shell 6 # after performing an adb root command. The domain definition is 7 # wrapped to ensure that it does not exist at all on -user builds. 8 type su, domain, mlstrustedsubject; 9 domain_auto_trans(shell, su_exec, su) 10 11 # Allow dumpstate to call su on userdebug / eng builds to collect 12 # additional information. 13 domain_auto_trans(dumpstate, su_exec, su) 14 15 # Make sure that dumpstate runs the same from the "su" domain as 16 # from the "init" domain. 17 domain_auto_trans(su, dumpstate_exec, dumpstate) 18 19 # su is also permissive to permit setenforce. 20 permissive su; 21 22 # Add su to various domains 23 net_domain(su) 24 app_domain(su) 25 26 dontaudit su self:capability_class_set *; 27 dontaudit su kernel:security *; 28 dontaudit su kernel:system *; 29 dontaudit su self:memprotect *; 30 dontaudit su domain:process *; 31 dontaudit su domain:fd *; 32 dontaudit su domain:dir *; 33 dontaudit su domain:lnk_file *; 34 dontaudit su domain:{ fifo_file file } *; 35 dontaudit su domain:socket_class_set *; 36 dontaudit su domain:ipc_class_set *; 37 dontaudit su domain:key *; 38 dontaudit su fs_type:filesystem *; 39 dontaudit su {fs_type dev_type file_type}:dir_file_class_set *; 40 dontaudit su node_type:node *; 41 dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *; 42 dontaudit su netif_type:netif *; 43 dontaudit su port_type:socket_class_set *; 44 dontaudit su port_type:{ tcp_socket dccp_socket } *; 45 dontaudit su domain:peer *; 46 dontaudit su domain:binder *; 47 dontaudit su property_type:property_service *; 48 dontaudit su property_type:file *; 49 dontaudit su service_manager_type:service_manager *; 50 dontaudit su servicemanager:service_manager list; 51 dontaudit su keystore:keystore_key *; 52 dontaudit su domain:debuggerd *; 53 dontaudit su domain:drmservice *; 54 dontaudit su unlabeled:filesystem *; 55') 56