1userdebug_or_eng(` 2 typeattribute su coredomain; 3 4 domain_auto_trans(shell, su_exec, su) 5 # Allow dumpstate to call su on userdebug / eng builds to collect 6 # additional information. 7 domain_auto_trans(dumpstate, su_exec, su) 8 9 # Make sure that dumpstate runs the same from the "su" domain as 10 # from the "init" domain. 11 domain_auto_trans(su, dumpstate_exec, dumpstate) 12 13 # Put the incident command into its domain so it is the same on user, userdebug and eng. 14 domain_auto_trans(su, incident_exec, incident) 15 16 # Put the odrefresh command into its domain. 17 domain_auto_trans(su, odrefresh_exec, odrefresh) 18 19 # Put the perfetto command into its domain so it is the same on user, userdebug and eng. 20 domain_auto_trans(su, perfetto_exec, perfetto) 21 22 # Put the virtmgr command into its domain. 23 domain_auto_trans(su, virtualizationmanager_exec, virtualizationmanager) 24 25 # su is also permissive to permit setenforce. 26 permissive su; 27 28 app_domain(su) 29 30 # Do not audit accesses to keystore2 namespace for the su domain. 31 dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *; 32 33 # Allow root to set MTE permissive mode. 34 set_prop(su, permissive_mte_prop); 35') 36