am d233350b: Merge "Support running adbd in the su domain."

* commit 'd233350b': Support running adbd in the su domain.

am d233350b: Merge "Support running adbd in the su domain."
* commit 'd233350b': Support running adbd in the su domain.
0f950ce9 · Nick Kralevich · Android Git Automerger · bd8adee9 · d233350b · 0f950ce9
Commit 0f950ce9 authored 11 years ago by Nick Kralevich Committed by Android Git Automerger 11 years ago
--- a/adbd.te
+++ b/adbd.te
@@ -4,6 +4,7 @@ type adbd, domain;

 userdebug_or_eng(`
  permissive adbd;
+  allow adbd su:process dyntransition;
 ')

 domain_auto_trans(adbd, shell_exec, shell)

--- a/domain.te
+++ b/domain.te
@@ -28,6 +28,20 @@ allow domain adbd:unix_stream_socket connectto;
 allow domain adbd:fd use;
 allow domain adbd:unix_stream_socket { getattr getopt read write shutdown };

+userdebug_or_eng(`
+  # Same as adbd rules above, except allow su to do the same thing
+  allow domain su:unix_stream_socket connectto;
+  allow domain su:fd use;
+  allow domain su:unix_stream_socket { getattr getopt read write shutdown };
+
+  # Running something like "pm dump com.android.bluetooth" requires
+  # fifo writes
+  allow domain su:fifo_file { write getattr };
+
+  # allow "gdbserver --attach" to work for su.
+  allow domain su:process sigchld;
+')
+
 ###
 ### Talk to debuggerd.
 ###

--- a/su.te
+++ b/su.te
@@ -12,6 +12,11 @@ userdebug_or_eng(`
  # su is unconfined.
  unconfined_domain(su)

+  allow su ashmem_device:chr_file execute;
+  allow su self:process execmem;
+  tmpfs_domain(su)
+  allow su su_tmpfs:file execute;
+
  # su is also permissive to permit setenforce.
  permissive su;
 ')