From c3df8d756291b5258c21335e1266efb941fd7d0a Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Sun, 8 Jun 2014 15:14:42 -0700
Subject: [PATCH] Make su 04750

Currently, /system/xbin/su is world executable. Prior to SELinux
enforcement, anyone (including third party apps) could run su.
The su code itself checks to see if the calling UID is root or shell.

Rather than relying on enforcement within the su binary, modify the
binary so it has group=shell, and remove world-execute permission.
This helps avoid some annoying SELinux denial messages as third party
apps call su on userdebug/eng builds.

Change-Id: I61c9231bb7e201d14ee3a5b6fe81b3fa7b12599f
---
 include/private/android_filesystem_config.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/private/android_filesystem_config.h b/include/private/android_filesystem_config.h
index 03b3506de..d8e938ea1 100644
--- a/include/private/android_filesystem_config.h
+++ b/include/private/android_filesystem_config.h
@@ -244,7 +244,7 @@ static const struct fs_path_config android_files[] = {
 
     /* the following five files are INTENTIONALLY set-uid, but they
      * are NOT included on user builds. */
-    { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/su" },
+    { 04750, AID_ROOT,      AID_SHELL,     0, "system/xbin/su" },
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/librank" },
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procrank" },
     { 06755, AID_ROOT,      AID_ROOT,      0, "system/xbin/procmem" },