1userdebug_or_eng(` 2 typeattribute su coredomain; 3 4 domain_auto_trans(shell, su_exec, su) 5 # Allow dumpstate to call su on userdebug / eng builds to collect 6 # additional information. 7 domain_auto_trans(dumpstate, su_exec, su) 8 9 # Make sure that dumpstate runs the same from the "su" domain as 10 # from the "init" domain. 11 domain_auto_trans(su, dumpstate_exec, dumpstate) 12 13 # Put the incident command into its domain so it is the same on user, userdebug and eng. 14 domain_auto_trans(su, incident_exec, incident) 15 16 # Put the odrefresh command into its domain. 17 domain_auto_trans(su, odrefresh_exec, odrefresh) 18 19 # Put the perfetto command into its domain so it is the same on user, userdebug and eng. 20 domain_auto_trans(su, perfetto_exec, perfetto) 21 22 # Allow accessing virtualization (e.g. via the vm command) - ensures virtmgr runs in its 23 # own domain. 24 virtualizationservice_use(su) 25 26 # su is also permissive to permit setenforce. 27 permissive su; 28 29 app_domain(su) 30 31 # Do not audit accesses to keystore2 namespace for the su domain. 32 dontaudit su keystore2_key_type:{ keystore2 keystore2_key } *; 33 34 # Allow root to set MTE permissive mode. 35 set_prop(su, permissive_mte_prop); 36') 37