环境背景,app中使用su权限提示没有权限
直接贴git修改记录
--- a/system/core/libcutils/fs_config.c
+++ b/system/core/libcutils/fs_config.c
@@ -136,7 +136,7 @@ static const struct fs_path_config android_files[] = {
/* the following two files are INTENTIONALLY set-uid, but they
* are NOT included on user builds. */
- { 04750, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
+ { 04755, AID_ROOT, AID_SHELL, 0, "system/xbin/su" },
{ 06755, AID_ROOT, AID_ROOT, 0, "system/xbin/procmem" },
/* the following files have enhanced capabilities and ARE included in user builds. */
diff --git a/system/sepolicy/domain.te b/system/sepolicy/domain.te
index 45569de..4aa0cc0 100644
--- a/system/sepolicy/domain.te
+++ b/system/sepolicy/domain.te
@@ -421,7 +421,7 @@ neverallow * { file_type fs_type dev_type }:{ lnk_file fifo_file sock_file } mou
# Nobody should be able to execute su on user builds.
# On userdebug/eng builds, only dumpstate, shell, and
# su itself execute su.
-neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
+#neverallow { domain userdebug_or_eng(`-dumpstate -shell -su') } su_exec:file no_x_file_perms;
# Do not allow the introduction of new execmod rules. Text relocations
# and modification of executable pages are unsafe.
diff --git a/system/sepolicy/system_app.te b/system/sepolicy/system_app.te
index 50320c5..5a02294 100644
--- a/system/sepolicy/system_app.te
+++ b/system/sepolicy/system_app.te
@@ -74,4 +74,10 @@ allow system_app keystore:keystore_key {
allow system_app sysfs_zram:dir search;
allow system_app sysfs_zram:file r_file_perms;
+allow system_app su_exec:file { execute execute_no_trans open read };
+
+allow system_app device:sock_file write;
+allow system_app su_exec:file getattr;
+allow system_app sudaemon:unix_stream_socket connectto;
+
control_logd(system_app)