Support running adbd in the su domain.

When adbd runs as root, it transitions into the su domain. Add the various rules to support this. This is needed to run the adbd and shell domains in enforcing on userdebug / eng devices without breaking developer workflows. Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6

Support running adbd in the su domain.
7d0f955e · Nick Kralevich · 190c704d · 7d0f955e · 7d0f955e · 7d0f955e
Commit 7d0f955e authored 11 years ago by Nick Kralevich
--- a/adbd.te
+++ b/adbd.te
@@ -4,6 +4,7 @@ type adbd, domain;

 userdebug_or_eng(`
  permissive adbd;
+  allow adbd su:process dyntransition;
 ')

 domain_auto_trans(adbd, shell_exec, shell)

--- a/domain.te
+++ b/domain.te
@@ -28,6 +28,20 @@ allow domain adbd:unix_stream_socket connectto;
 allow domain adbd:fd use;
 allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };

+userdebug_or_eng(`
+  # Same as adbd rules above, except allow su to do the same thing
+  allow domain su:unix_stream_socket connectto;
+  allow domain su:fd use;
+  allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+
+  # Running something like "pm dump com.android.bluetooth" requires
+  # fifo writes
+  allow domain su:fifo_file { write getattr };
+
+  # allow "gdbserver --attach" to work for su.
+  allow domain su:process sigchld;
+')
+
 ###
 ### Talk to debuggerd.
 ###

--- a/su.te
+++ b/su.te
@@ -12,6 +12,11 @@ userdebug_or_eng(`
  # su is unconfined.
  unconfined_domain(su)

+  allow su ashmem_device:chr_file execute;
+  allow su self:process execmem;
+  tmpfs_domain(su)
+  allow su su_tmpfs:file execute;
+
  # su is also permissive to permit setenforce.
  permissive su;
 ')