From bdd495b11dc2f3d3c135ccbc201796095200da2f Mon Sep 17 00:00:00 2001
From: Pierre-Hugues Husson <phh@phh.me>
Date: Sun, 14 Jan 2018 00:16:42 +0100
Subject: [PATCH] [sepolicy] Various su improvements

---
 sepolicy/su.te | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/sepolicy/su.te b/sepolicy/su.te
index 7510f1e..bee6361 100644
--- a/sepolicy/su.te
+++ b/sepolicy/su.te
@@ -29,9 +29,10 @@ typeattribute su mlstrustedsubject;
 
 allow phhsu_daemon { system_api_service app_api_service system_server_service }:service_manager find;
 
-allow system_server phhsu_daemon:fd use;
-allow system_server phhsu_daemon:binder { call transfer };
-allow system_server shell_devpts:chr_file { read write };
+allow { system_server halclientdomain coredomain -installd } phhsu_daemon:fd use;
+allow { system_server halclientdomain coredomain -installd } phhsu_daemon:binder { call transfer };
+allow { system_server halclientdomain coredomain -installd } phhsu_daemon:fifo_file { read write };
+allow { system_server halclientdomain coredomain -installd } shell_devpts:chr_file { read write };
 
 # Add su to various domains
 net_domain(su)
@@ -46,3 +47,10 @@ allow phhsu_daemon zygote_exec:file { execute read open execute_no_trans getattr
 allow phhsu_daemon phhsu_daemon:capability { setuid setgid dac_override chown};
 
 allow appdomain phhsu_daemon:dir { search };
+allow domain phhsu_daemon:process { sigchld };
+
+allow hwservicemanager phhsu_daemon:process { getattr };
+allow hwservicemanager phhsu_daemon:dir { search };
+allow hwservicemanager phhsu_daemon:file { open read };
+
+allow phhsu_daemon { property_type -serialno_prop -firstboot_prop }:file { read };