# File types must be defined for file_contexts.
type su_exec, exec_type, file_type;

userdebug_or_eng(`
  # Domain used for su processes, as well as for adbd and adb shell
  # after performing an adb root command.  The domain definition is
  # wrapped to ensure that it does not exist at all on -user builds.
  type su, domain;
  domain_auto_trans(shell, su_exec, su)

  # Allow dumpstate to call su on userdebug / eng builds to collect
  # additional information.
  domain_auto_trans(dumpstate, su_exec, su)

  # su is unconfined.
  unconfined_domain(su)

  allow su ashmem_device:chr_file execute;
  allow su self:process execmem;
  tmpfs_domain(su)
  allow su su_tmpfs:file execute;
  allow su debuggerd_prop:property_service set;

  # su is also permissive to permit setenforce.
  permissive su;
')