| # adbd seclabel is specified in init.rc since |
| # it lives in the rootfs and has no unique file type. |
| type adbd, domain, mlstrustedsubject; |
| |
| userdebug_or_eng(` |
| allow adbd self:process setcurrent; |
| allow adbd su:process dyntransition; |
| ') |
| |
| # Do not sanitize the environment or open fds of the shell. Allow signaling |
| # created processes. |
| allow adbd shell:process { noatsecure signal }; |
| |
| # Set UID and GID to shell. Set supplementary groups. |
| allow adbd self:capability { setuid setgid }; |
| |
| # Drop capabilities from bounding set on user builds. |
| allow adbd self:capability setpcap; |
| |
| # Create and use network sockets. |
| net_domain(adbd) |
| |
| # Access /dev/android_adb or /dev/usb-ffs/adb/ep0 |
| allow adbd adb_device:chr_file rw_file_perms; |
| allow adbd functionfs:dir search; |
| allow adbd functionfs:file rw_file_perms; |
| |
| # Use a pseudo tty. |
| allow adbd devpts:chr_file rw_file_perms; |
| |
| # adb push/pull /data/local/tmp. |
| allow adbd shell_data_file:dir create_dir_perms; |
| allow adbd shell_data_file:file create_file_perms; |
| |
| # adb pull /data/misc/profman. |
| allow adbd profman_dump_data_file:dir r_dir_perms; |
| allow adbd profman_dump_data_file:file r_file_perms; |
| |
| # adb push/pull sdcard. |
| allow adbd tmpfs:dir search; |
| allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink |
| allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink |
| allow adbd sdcard_type:dir create_dir_perms; |
| allow adbd sdcard_type:file create_file_perms; |
| |
| # adb pull /data/anr/traces.txt |
| allow adbd anr_data_file:dir r_dir_perms; |
| allow adbd anr_data_file:file r_file_perms; |
| |
| # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. |
| set_prop(adbd, shell_prop) |
| set_prop(adbd, powerctl_prop) |
| set_prop(adbd, ffs_prop) |
| |
| # Access device logging gating property |
| get_prop(adbd, device_logging_prop) |
| |
| # Read device's serial number from system properties |
| get_prop(adbd, serialno_prop) |
| |
| # Run /system/bin/bu |
| allow adbd system_file:file rx_file_perms; |
| |
| # Perform binder IPC to surfaceflinger (screencap) |
| # XXX Run screencap in a separate domain? |
| binder_use(adbd) |
| binder_call(adbd, surfaceflinger) |
| # b/13188914 |
| allow adbd gpu_device:chr_file rw_file_perms; |
| allow adbd ion_device:chr_file rw_file_perms; |
| r_dir_file(adbd, system_file) |
| |
| # Read /data/misc/adb/adb_keys. |
| allow adbd adb_keys_file:dir search; |
| allow adbd adb_keys_file:file r_file_perms; |
| |
| userdebug_or_eng(` |
| # Write debugging information to /data/adb |
| # when persist.adb.trace_mask is set |
| # https://code.google.com/p/android/issues/detail?id=72895 |
| allow adbd adb_data_file:dir rw_dir_perms; |
| allow adbd adb_data_file:file create_file_perms; |
| ') |
| |
| # ndk-gdb invokes adb forward to forward the gdbserver socket. |
| allow adbd { app_data_file ephemeral_data_file }:dir search; |
| allow adbd { app_data_file ephemeral_data_file }:sock_file write; |
| allow adbd { appdomain ephemeral_app }:unix_stream_socket connectto; |
| |
| # ndk-gdb invokes adb pull of app_process, linker, and libc.so. |
| allow adbd zygote_exec:file r_file_perms; |
| allow adbd system_file:file r_file_perms; |
| |
| # Allow pulling the SELinux policy for CTS purposes |
| allow adbd selinuxfs:dir r_dir_perms; |
| allow adbd selinuxfs:file r_file_perms; |
| allow adbd kernel:security read_policy; |
| |
| allow adbd surfaceflinger_service:service_manager find; |
| allow adbd bootchart_data_file:dir search; |
| allow adbd bootchart_data_file:file r_file_perms; |
| |
| # Allow access to external storage; we have several visible mount points under /storage |
| # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary |
| allow adbd storage_file:dir r_dir_perms; |
| allow adbd storage_file:lnk_file r_file_perms; |
| allow adbd mnt_user_file:dir r_dir_perms; |
| allow adbd mnt_user_file:lnk_file r_file_perms; |
| |
| # Access to /data/media. |
| # This should be removed if sdcardfs is modified to alter the secontext for its |
| # accesses to the underlying FS. |
| allow adbd media_rw_data_file:dir create_dir_perms; |
| allow adbd media_rw_data_file:file create_file_perms; |
| |
| r_dir_file(adbd, apk_data_file) |
| |
| allow adbd rootfs:dir r_dir_perms; |
| |
| ### |
| ### Neverallow rules |
| ### |
| |
| # No transitions from adbd to non-shell domains. adbd only ever |
| # transitions to the shell domain. In particular, we never want |
| # to see a transition from adbd to su (aka "adb root") |
| neverallow adbd { domain -shell }:process transition; |
| neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition; |