microdroid/system/private/adbd.te - LeafOS-Project/android_system_sepolicy - Gitiles

 typeattribute adbd coredomain;

 init_daemon_domain(adbd)

 domain_auto_trans(adbd, shell_exec, shell)

 # Allow adbd to transition to su. In Android, this is disallowed in user builds.
 # However, Microdroid allows it even in user builds because apps should be able
 # to adb root into their "debuggable" VMs in user builds. Disabling adbd for
 # non debuggable VMs are done by not starting adbd at all using sysprops.
 allow adbd self:process setcurrent;
 allow adbd su:process dyntransition;

 # Do not sanitize the environment or open fds of the shell. Allow signaling
 # created processes.
 allow adbd shell:process { noatsecure signal };

 # Set UID and GID to shell.  Set supplementary groups.
 allow adbd self:global_capability_class_set { setuid setgid };

 # Drop capabilities from bounding set on user builds.
 allow adbd self:global_capability_class_set setpcap;

 # adbd probes for vsock support. Do not generate denials when
 # this occurs. (b/123569840)
 dontaudit adbd self:{ socket vsock_socket } create;

 # Allow adbd inside vm to forward vm's vsock.
 allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };

 # Use a pseudo tty.
 allow adbd devpts:chr_file rw_file_perms;

 # adb push/pull /data/local/tmp.
 allow adbd shell_data_file:dir create_dir_perms;
 allow adbd shell_data_file:file create_file_perms;

 allow adbd tmpfs:dir search;

 allow adbd rootfs:dir r_dir_perms;

 # Connect to shell and use a socket transferred from it.
 # Used for e.g. abb.
 allow adbd shell:unix_stream_socket { read write shutdown };
 allow adbd shell:fd use;

 set_prop(adbd, shell_prop)

 # Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
 set_prop(adbd, adbd_prop)

 # Allow pulling the SELinux policy for CTS purposes
 allow adbd selinuxfs:dir r_dir_perms;
 allow adbd selinuxfs:file r_file_perms;
 allow adbd kernel:security read_policy;

 # adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
 # TODO(b/200902288): patch adb and remove this rule
 dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;

 # only adbd can transition to su.
 neverallow {domain -adbd} su:process { transition dyntransition };
	typeattribute adbd coredomain;

	init_daemon_domain(adbd)

	domain_auto_trans(adbd, shell_exec, shell)

	# Allow adbd to transition to su. In Android, this is disallowed in user builds.
	# However, Microdroid allows it even in user builds because apps should be able
	# to adb root into their "debuggable" VMs in user builds. Disabling adbd for
	# non debuggable VMs are done by not starting adbd at all using sysprops.
	allow adbd self:process setcurrent;
	allow adbd su:process dyntransition;

	# Do not sanitize the environment or open fds of the shell. Allow signaling
	# created processes.
	allow adbd shell:process { noatsecure signal };

	# Set UID and GID to shell. Set supplementary groups.
	allow adbd self:global_capability_class_set { setuid setgid };

	# Drop capabilities from bounding set on user builds.
	allow adbd self:global_capability_class_set setpcap;

	# adbd probes for vsock support. Do not generate denials when
	# this occurs. (b/123569840)
	dontaudit adbd self:{ socket vsock_socket } create;

	# Allow adbd inside vm to forward vm's vsock.
	allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };

	# Use a pseudo tty.
	allow adbd devpts:chr_file rw_file_perms;

	# adb push/pull /data/local/tmp.
	allow adbd shell_data_file:dir create_dir_perms;
	allow adbd shell_data_file:file create_file_perms;

	allow adbd tmpfs:dir search;

	allow adbd rootfs:dir r_dir_perms;

	# Connect to shell and use a socket transferred from it.
	# Used for e.g. abb.
	allow adbd shell:unix_stream_socket { read write shutdown };
	allow adbd shell:fd use;

	set_prop(adbd, shell_prop)

	# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
	set_prop(adbd, adbd_prop)

	# Allow pulling the SELinux policy for CTS purposes
	allow adbd selinuxfs:dir r_dir_perms;
	allow adbd selinuxfs:file r_file_perms;
	allow adbd kernel:security read_policy;

	# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
	# TODO(b/200902288): patch adb and remove this rule
	dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;

	# only adbd can transition to su.
	neverallow {domain -adbd} su:process { transition dyntransition };