1 # All types must be defined regardless of build variant to ensure 2 # policy compilation succeeds with userdebug/user combination at boot 3 type su, domain; 4 5 # File types must be defined for file_contexts. 6 type su_exec, exec_type, file_type; 7 8 userdebug_or_eng(` 9 # Domain used for su processes, as well as for adbd and adb shell 10 # after performing an adb root command. The domain definition is 11 # wrapped to ensure that it does not exist at all on -user builds. 12 typeattribute su mlstrustedsubject; 13 14 # Add su to various domains 15 net_domain(su) 16 17 # grant su access to vndbinder 18 vndbinder_use(su) 19 20 dontaudit su self:capability_class_set *; 21 dontaudit su kernel:security *; 22 dontaudit su kernel:system *; 23 dontaudit su self:memprotect *; 24 dontaudit su domain:process *; 25 dontaudit su domain:fd *; 26 dontaudit su domain:dir *; 27 dontaudit su domain:lnk_file *; 28 dontaudit su domain:{ fifo_file file } *; 29 dontaudit su domain:socket_class_set *; 30 dontaudit su domain:ipc_class_set *; 31 dontaudit su domain:key *; 32 dontaudit su fs_type:filesystem *; 33 dontaudit su {fs_type dev_type file_type}:dir_file_class_set *; 34 dontaudit su node_type:node *; 35 dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *; 36 dontaudit su netif_type:netif *; 37 dontaudit su port_type:socket_class_set *; 38 dontaudit su port_type:{ tcp_socket dccp_socket } *; 39 dontaudit su domain:peer *; 40 dontaudit su domain:binder *; 41 dontaudit su property_type:property_service *; 42 dontaudit su property_type:file *; 43 dontaudit su service_manager_type:service_manager *; 44 dontaudit su hwservice_manager_type:hwservice_manager *; 45 dontaudit su vndservice_manager_type:service_manager *; 46 dontaudit su servicemanager:service_manager list; 47 dontaudit su hwservicemanager:hwservice_manager list; 48 dontaudit su vndservicemanager:service_manager list; 49 dontaudit su keystore:keystore_key *; 50 dontaudit su domain:drmservice *; 51 dontaudit su unlabeled:filesystem *; 52 dontaudit su postinstall_file:filesystem *; 53 ') 54