Add su option

generate.sh

@@ -5,9 +5,11 @@ echo 'PRODUCT_MAKEFILES := \' > AndroidProducts.mk
 for part in a ab;do
 	for apps in vanilla gapps foss;do
 		for arch in arm64;do
+			for su in yes no;do
 				apps_suffix=""
 				apps_script=""
 				apps_name=""
+				extra_packages=""
 				if [ "$apps" == "gapps" ];then
 					apps_suffix="g"
 					apps_script='$(call inherit-product, device/phh/treble/gapps.mk)'
@@ -24,7 +26,13 @@ for part in a ab;do
 					apps_name="vanilla"
 				fi
 
-			target="treble_${arch}_${part}${apps_suffix}"
+				su_suffix='N'
+				if [ "$su" == "yes" ];then
+					su_suffix='S'
+					extra_packages+=' phh-su'
+				fi
+
+				target="treble_${arch}_${part}${apps_suffix}${su_suffix}"
 
 				cat > ${target}.mk << EOF
 include build/make/target/product/treble_common.mk
@@ -35,9 +43,12 @@ PRODUCT_NAME := $target
 PRODUCT_DEVICE := generic_arm64_$part
 PRODUCT_BRAND := Android
 PRODUCT_MODEL := Phh-Treble $apps_name
+
+PRODUCT_PACKAGES += $extra_packages
 EOF
 echo -e '\t$(LOCAL_DIR)/'$target.mk '\' >> AndroidProducts.mk
 			done
 		done
+	done
 done
 echo >> AndroidProducts.mk

sepolicy/file_contexts

@@ -0,0 +1 @@
+/system/bin/phh-su                   u:object_r:phhsu_exec:s0

sepolicy/su.te

@@ -0,0 +1,47 @@
+type phhsu_daemon, domain;
+type phhsu_exec, exec_type, file_type;
+
+typeattribute phhsu_daemon coredomain;
+permissive phhsu_daemon;
+
+tmpfs_domain(phhsu_daemon);
+domain_auto_trans(init, phhsu_exec, phhsu_daemon);
+file_type_auto_trans(phhsu_daemon, device, phhsu_daemon);
+
+allow { appdomain shell } phhsu_daemon:unix_stream_socket { connectto write read };
+allow { appdomain shell } phhsu_daemon:sock_file { write read };
+allow { appdomain shell } phhsu_exec:file { getattr read open execute execute_no_trans };
+
+create_pty(shell)
+allowxperm shell devpts:chr_file ioctl TCSETSF;
+allowxperm untrusted_app untrusted_app_devpts:chr_file ioctl TCSETSF;
+
+allow servicemanager phhsu_daemon:dir { search read };
+allow servicemanager phhsu_daemon:file { open read };
+allow servicemanager phhsu_daemon:process { getattr };
+allow servicemanager phhsu_daemon:binder { call transfer };
+
+typeattribute phhsu_daemon mlstrustedobject;
+typeattribute phhsu_daemon mlstrustedsubject;
+
+allow shell su_exec:file getattr;
+typeattribute su mlstrustedsubject;
+
+allow phhsu_daemon { system_api_service app_api_service system_server_service }:service_manager find;
+
+allow system_server phhsu_daemon:fd use;
+allow system_server phhsu_daemon:binder { call };
+
+# Add su to various domains
+net_domain(su)
+
+# grant su access to vndbinder
+vndbinder_use(su)
+
+allow phhsu_daemon toolbox_exec:file { read open execute_no_trans };
+allow phhsu_daemon untrusted_app_devpts:chr_file { getattr };
+allow phhsu_daemon zygote_exec:file { execute read open execute_no_trans getattr };
+
+allow phhsu_daemon phhsu_daemon:capability { setuid setgid dac_override chown};
+
+allow appdomain phhsu_daemon:dir { search };

su/Android.mk

@@ -0,0 +1,11 @@
+LOCAL_PATH := $(call my-dir)
+
+include $(CLEAR_VARS)
+
+LOCAL_SRC_FILES := su
+LOCAL_MODULE := phh-su
+LOCAL_MODULE_CLASS := EXECUTABLES
+
+LOCAL_INIT_RC := su.rc
+
+include $(BUILD_PREBUILT)

su/su.rc

@@ -0,0 +1,2 @@
+service sudaemon /system/bin/phh-su --daemon
+    class main