From caf347b515a60c2ac42b334bc5800514cdd53b55 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sat, 12 Jul 2014 12:46:58 -0700
Subject: [PATCH] Tweak rules for su domain.

1) Remove explicit allow statements. Since su is in permmissive,
there's no need to ever specify allow statements for su.

2) Remove unconfined_domain(su). Su is already permissive, so there's
no need to join the unconfined domain, and it just makes getting
rid of unconfined more difficult.

3) Put su into app_domain(). This addresses, in a roundabout sorta
way, the following denial:

  type=1400 audit(0.0:4): avc: denied { setsched } for scontext=u:r:system_server:s0 tcontext=u:r:su:s0 tclass=process permissive=0

which comes up while testing media processes as root. We already put
the shell user into this domain, so adding su to this domain ensures
other processes can communicate consistently with su spawned processes.

Bug: 16261280
Bug: 16298582

(cherry picked from commit 213bb45bdd631920646d51777b29745c3d2f51c2)

Change-Id: If9c3483184ecdf871efee394c0b696e30f61d15d
---
 su.te | 12 ++----------
 1 file changed, 2 insertions(+), 10 deletions(-)

diff --git a/su.te b/su.te
index 861514825..73ca51406 100644
--- a/su.te
+++ b/su.te
@@ -12,20 +12,12 @@ userdebug_or_eng(`
   # additional information.
   domain_auto_trans(dumpstate, su_exec, su)
 
-  # su is unconfined.
-  unconfined_domain(su)
-
-  allow su ashmem_device:chr_file execute;
-  allow su self:process execmem;
-  tmpfs_domain(su)
-  allow su su_tmpfs:file execute;
-  allow su debuggerd_prop:property_service set;
-
   # su is also permissive to permit setenforce.
   permissive su;
 
-  # Make su a net domain.
+  # Add su to various domains
   net_domain(su)
+  app_domain(su)
 
   dontaudit su self:capability_class_set *;
   dontaudit su kernel:security *;
-- 
GitLab