From 7d0f955ef09be5b2558da432a1f8cd525c5ccfe4 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 18 Jan 2014 18:07:06 -0800
Subject: [PATCH] Support running adbd in the su domain.

When adbd runs as root, it transitions into the
su domain. Add the various rules to support this.

This is needed to run the adbd and shell domains in
enforcing on userdebug / eng devices without breaking
developer workflows.

Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
---
 adbd.te   |  1 +
 domain.te | 14 ++++++++++++++
 su.te     |  5 +++++
 3 files changed, 20 insertions(+)

diff --git a/adbd.te b/adbd.te
index a92d50597..8614819c1 100644
--- a/adbd.te
+++ b/adbd.te
@@ -4,6 +4,7 @@ type adbd, domain;
 
 userdebug_or_eng(`
   permissive adbd;
+  allow adbd su:process dyntransition;
 ')
 
 domain_auto_trans(adbd, shell_exec, shell)
diff --git a/domain.te b/domain.te
index c8063f740..b13ad75f8 100644
--- a/domain.te
+++ b/domain.te
@@ -28,6 +28,20 @@ allow domain adbd:unix_stream_socket connectto;
 allow domain adbd:fd use;
 allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };
 
+userdebug_or_eng(`
+  # Same as adbd rules above, except allow su to do the same thing
+  allow domain su:unix_stream_socket connectto;
+  allow domain su:fd use;
+  allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+
+  # Running something like "pm dump com.android.bluetooth" requires
+  # fifo writes
+  allow domain su:fifo_file { write getattr };
+
+  # allow "gdbserver --attach" to work for su.
+  allow domain su:process sigchld;
+')
+
 ###
 ### Talk to debuggerd.
 ###
diff --git a/su.te b/su.te
index b4b9f6dad..7b6899a21 100644
--- a/su.te
+++ b/su.te
@@ -12,6 +12,11 @@ userdebug_or_eng(`
   # su is unconfined.
   unconfined_domain(su)
 
+  allow su ashmem_device:chr_file execute;
+  allow su self:process execmem;
+  tmpfs_domain(su)
+  allow su su_tmpfs:file execute;
+
   # su is also permissive to permit setenforce.
   permissive su;
 ')
-- 
GitLab