diff --git a/generate.sh b/generate.sh
index 7fcefd3..382b352 100644
--- a/generate.sh
+++ b/generate.sh
@@ -5,28 +5,36 @@ echo 'PRODUCT_MAKEFILES := \' > AndroidProducts.mk
 for part in a ab;do
 	for apps in vanilla gapps foss;do
 		for arch in arm64;do
-			apps_suffix=""
-			apps_script=""
-			apps_name=""
-			if [ "$apps" == "gapps" ];then
-				apps_suffix="g"
-				apps_script='$(call inherit-product, device/phh/treble/gapps.mk)'
-				apps_name="with GApps"
-			fi
-			if [ "$apps" == "foss" ];then
-				apps_suffix="f"
-				apps_script='$(call inherit-product, vendor/foss/foss.mk)'
-				apps_name="with FOSS apps"
-			fi
-			if [ "$apps" == "vanilla" ];then
-				apps_suffix="v"
-				apps_script=''
-				apps_name="vanilla"
-			fi
+			for su in yes no;do
+				apps_suffix=""
+				apps_script=""
+				apps_name=""
+				extra_packages=""
+				if [ "$apps" == "gapps" ];then
+					apps_suffix="g"
+					apps_script='$(call inherit-product, device/phh/treble/gapps.mk)'
+					apps_name="with GApps"
+				fi
+				if [ "$apps" == "foss" ];then
+					apps_suffix="f"
+					apps_script='$(call inherit-product, vendor/foss/foss.mk)'
+					apps_name="with FOSS apps"
+				fi
+				if [ "$apps" == "vanilla" ];then
+					apps_suffix="v"
+					apps_script=''
+					apps_name="vanilla"
+				fi
 
-			target="treble_${arch}_${part}${apps_suffix}"
+				su_suffix='N'
+				if [ "$su" == "yes" ];then
+					su_suffix='S'
+					extra_packages+=' phh-su'
+				fi
 
-			cat > ${target}.mk << EOF
+				target="treble_${arch}_${part}${apps_suffix}${su_suffix}"
+
+				cat > ${target}.mk << EOF
 include build/make/target/product/treble_common.mk
 \$(call inherit-product, device/phh/treble/base.mk)
 $apps_script
@@ -35,8 +43,11 @@ PRODUCT_NAME := $target
 PRODUCT_DEVICE := generic_arm64_$part
 PRODUCT_BRAND := Android
 PRODUCT_MODEL := Phh-Treble $apps_name
+
+PRODUCT_PACKAGES += $extra_packages
 EOF
 echo -e '\t$(LOCAL_DIR)/'$target.mk '\' >> AndroidProducts.mk
+			done
 		done
 	done
 done
diff --git a/sepolicy/file_contexts b/sepolicy/file_contexts
new file mode 100644
index 0000000..15ebca2
--- /dev/null
+++ b/sepolicy/file_contexts
@@ -0,0 +1 @@
+/system/bin/phh-su                   u:object_r:phhsu_exec:s0
diff --git a/sepolicy/su.te b/sepolicy/su.te
new file mode 100644
index 0000000..01d665f
--- /dev/null
+++ b/sepolicy/su.te
@@ -0,0 +1,47 @@
+type phhsu_daemon, domain;
+type phhsu_exec, exec_type, file_type;
+
+typeattribute phhsu_daemon coredomain;
+permissive phhsu_daemon;
+
+tmpfs_domain(phhsu_daemon);
+domain_auto_trans(init, phhsu_exec, phhsu_daemon);
+file_type_auto_trans(phhsu_daemon, device, phhsu_daemon);
+
+allow { appdomain shell } phhsu_daemon:unix_stream_socket { connectto write read };
+allow { appdomain shell } phhsu_daemon:sock_file { write read };
+allow { appdomain shell } phhsu_exec:file { getattr read open execute execute_no_trans };
+
+create_pty(shell)
+allowxperm shell devpts:chr_file ioctl TCSETSF;
+allowxperm untrusted_app untrusted_app_devpts:chr_file ioctl TCSETSF;
+
+allow servicemanager phhsu_daemon:dir { search read };
+allow servicemanager phhsu_daemon:file { open read };
+allow servicemanager phhsu_daemon:process { getattr };
+allow servicemanager phhsu_daemon:binder { call transfer };
+
+typeattribute phhsu_daemon mlstrustedobject;
+typeattribute phhsu_daemon mlstrustedsubject;
+
+allow shell su_exec:file getattr;
+typeattribute su mlstrustedsubject;
+
+allow phhsu_daemon { system_api_service app_api_service system_server_service }:service_manager find;
+
+allow system_server phhsu_daemon:fd use;
+allow system_server phhsu_daemon:binder { call };
+
+# Add su to various domains
+net_domain(su)
+
+# grant su access to vndbinder
+vndbinder_use(su)
+
+allow phhsu_daemon toolbox_exec:file { read open execute_no_trans };
+allow phhsu_daemon untrusted_app_devpts:chr_file { getattr };
+allow phhsu_daemon zygote_exec:file { execute read open execute_no_trans getattr };
+
+allow phhsu_daemon phhsu_daemon:capability { setuid setgid dac_override chown};
+
+allow appdomain phhsu_daemon:dir { search };
diff --git a/su/Android.mk b/su/Android.mk
new file mode 100644
index 0000000..4d2e612
--- /dev/null
+++ b/su/Android.mk
@@ -0,0 +1,11 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_SRC_FILES := su
+LOCAL_MODULE := phh-su
+LOCAL_MODULE_CLASS := EXECUTABLES
+
+LOCAL_INIT_RC := su.rc
+
+include $(BUILD_PREBUILT)
diff --git a/su/su b/su/su
new file mode 100755
index 0000000..59f1aaf
Binary files /dev/null and b/su/su differ
diff --git a/su/su.rc b/su/su.rc
new file mode 100644
index 0000000..935bdde
--- /dev/null
+++ b/su/su.rc
@@ -0,0 +1,2 @@
+service sudaemon /system/bin/phh-su --daemon
+    class main