diff options
Diffstat (limited to 'prebuilts/api/32.0/private/su.te')
| -rw-r--r-- | prebuilts/api/32.0/private/su.te | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/prebuilts/api/32.0/private/su.te b/prebuilts/api/32.0/private/su.te new file mode 100644 index 000000000..587f449fb --- /dev/null +++ b/prebuilts/api/32.0/private/su.te @@ -0,0 +1,30 @@ +userdebug_or_eng(` + typeattribute su coredomain; + + domain_auto_trans(shell, su_exec, su) + # Allow dumpstate to call su on userdebug / eng builds to collect + # additional information. + domain_auto_trans(dumpstate, su_exec, su) + + # Make sure that dumpstate runs the same from the "su" domain as + # from the "init" domain. + domain_auto_trans(su, dumpstate_exec, dumpstate) + + # Put the incident command into its domain so it is the same on user, userdebug and eng. + domain_auto_trans(su, incident_exec, incident) + + # Put the odrefresh command into its domain. + domain_auto_trans(su, odrefresh_exec, odrefresh) + + # Put the perfetto command into its domain so it is the same on user, userdebug and eng. + domain_auto_trans(su, perfetto_exec, perfetto) + + # su is also permissive to permit setenforce. + permissive su; + + app_domain(su) + + # Do not audit accesses to keystore2 namespace for the su domain. + dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *; + +') |