From 8bd13687b0a023ac2acf15175d52cafac9809b52 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 14 Mar 2015 12:40:21 -0700
Subject: [PATCH] neverallow su_exec:file execute

Executing /system/xbin/su is only supported on userdebug builds
for a limited number of domains. On user builds, it should never
occur.

Add a compile time assertion (neverallow rule) that this is
always true.

Bug: 19647373
Change-Id: I231a438948ea2d47c1951207e117e0fb2728c532
---
 domain.te | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/domain.te b/domain.te
index b2eaa7905..733a09523 100644
--- a/domain.te
+++ b/domain.te
@@ -369,3 +369,8 @@ neverallow domain domain:{ shm sem msg msgq } *;
 # Do not mount on top of symlinks, fifos, or sockets.
 # Feature parity with Chromium LSM.
 neverallow domain { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mounton;
+
+# Nobody should be able to execute su on user builds.
+# On userdebug/eng builds, only dumpstate, shell, and
+# su itself execute su.
+neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
-- 
GitLab