Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # adbd seclabel is specified in init.rc since |
| 2 | # it lives in the rootfs and has no unique file type. |
Stephen Smalley | 45731c7 | 2014-09-08 16:06:40 -0400 | [diff] [blame] | 3 | type adbd, domain, mlstrustedsubject; |
Nick Kralevich | 570e5f4 | 2014-01-11 00:25:01 -0800 | [diff] [blame] | 4 | |
| 5 | userdebug_or_eng(` |
Stephen Smalley | 356f4be | 2014-05-23 11:26:19 -0400 | [diff] [blame] | 6 | allow adbd self:process setcurrent; |
Nick Kralevich | 7d0f955 | 2014-01-18 18:07:06 -0800 | [diff] [blame] | 7 | allow adbd su:process dyntransition; |
Nick Kralevich | 570e5f4 | 2014-01-11 00:25:01 -0800 | [diff] [blame] | 8 | ') |
| 9 | |
Stephen Smalley | c83d008 | 2012-03-07 14:59:01 -0500 | [diff] [blame] | 10 | domain_auto_trans(adbd, shell_exec, shell) |
Stephen Smalley | 5554075 | 2013-09-30 13:54:09 -0400 | [diff] [blame] | 11 | |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 12 | # Do not sanitize the environment or open fds of the shell. |
| 13 | allow adbd shell:process noatsecure; |
| 14 | |
| 15 | # Set UID and GID to shell. Set supplementary groups. |
| 16 | allow adbd self:capability { setuid setgid }; |
| 17 | |
Nick Kralevich | 40ce0bb | 2014-01-11 14:11:45 -0800 | [diff] [blame] | 18 | # Drop capabilities from bounding set on user builds. |
| 19 | allow adbd self:capability setpcap; |
| 20 | |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 21 | # Create and use network sockets. |
| 22 | net_domain(adbd) |
| 23 | |
Nick Kralevich | 77cc055 | 2014-04-15 14:53:05 -0700 | [diff] [blame] | 24 | # Access /dev/android_adb or /dev/usb-ffs/adb/ep0 |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 25 | allow adbd adb_device:chr_file rw_file_perms; |
Nick Kralevich | 77cc055 | 2014-04-15 14:53:05 -0700 | [diff] [blame] | 26 | allow adbd functionfs:dir search; |
| 27 | allow adbd functionfs:file rw_file_perms; |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 28 | |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 29 | # Use a pseudo tty. |
| 30 | allow adbd devpts:chr_file rw_file_perms; |
| 31 | |
| 32 | # adb push/pull /data/local/tmp. |
Nick Kralevich | 98b7ab5 | 2014-06-08 13:47:33 -0700 | [diff] [blame] | 33 | allow adbd shell_data_file:dir create_dir_perms; |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 34 | allow adbd shell_data_file:file create_file_perms; |
| 35 | |
| 36 | # adb push/pull sdcard. |
| 37 | allow adbd sdcard_type:dir create_dir_perms; |
| 38 | allow adbd sdcard_type:file create_file_perms; |
| 39 | |
Nick Kralevich | 4fd4a20 | 2014-06-05 13:27:44 -0700 | [diff] [blame] | 40 | # adb pull /data/anr/traces.txt |
| 41 | allow adbd anr_data_file:dir r_dir_perms; |
| 42 | allow adbd anr_data_file:file r_file_perms; |
| 43 | |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 44 | # Set service.adb.*, sys.powerctl properties. |
| 45 | unix_socket_connect(adbd, property, init) |
| 46 | allow adbd shell_prop:property_service set; |
| 47 | allow adbd powerctl_prop:property_service set; |
| 48 | |
Nick Kralevich | 24b5622 | 2014-02-05 14:06:26 -0800 | [diff] [blame] | 49 | # Run /system/bin/bu |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 50 | allow adbd system_file:file rx_file_perms; |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 51 | |
| 52 | # Perform binder IPC to surfaceflinger (screencap) |
| 53 | # XXX Run screencap in a separate domain? |
| 54 | binder_use(adbd) |
| 55 | binder_call(adbd, surfaceflinger) |
dcashman | ddde8c2 | 2014-03-12 10:27:02 -0700 | [diff] [blame] | 56 | # b/13188914 |
| 57 | allow adbd gpu_device:chr_file rw_file_perms; |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 58 | |
Stephen Smalley | 5554075 | 2013-09-30 13:54:09 -0400 | [diff] [blame] | 59 | # Read /data/misc/adb/adb_keys. |
| 60 | allow adbd adb_keys_file:dir search; |
| 61 | allow adbd adb_keys_file:file r_file_perms; |
| 62 | |
Nick Kralevich | 973877d | 2014-10-20 21:56:02 -0700 | [diff] [blame] | 63 | userdebug_or_eng(` |
| 64 | # Write debugging information to /data/adb |
| 65 | # when persist.adb.trace_mask is set |
| 66 | # https://code.google.com/p/android/issues/detail?id=72895 |
| 67 | allow adbd adb_data_file:dir rw_dir_perms; |
| 68 | allow adbd adb_data_file:file create_file_perms; |
| 69 | ') |
| 70 | |
Stephen Smalley | 48759ca | 2013-10-29 14:42:39 -0400 | [diff] [blame] | 71 | # ndk-gdb invokes adb forward to forward the gdbserver socket. |
| 72 | allow adbd app_data_file:dir search; |
| 73 | allow adbd app_data_file:sock_file write; |
| 74 | allow adbd appdomain:unix_stream_socket connectto; |
| 75 | |
Nick Kralevich | 2c38b3b | 2014-10-21 22:39:42 -0700 | [diff] [blame] | 76 | # b/18078338 - allow read access to executable types on /system |
| 77 | # to assist with debugging OTA issues. |
| 78 | allow adbd exec_type:file r_file_perms; |
| 79 | |
Stephen Smalley | 48759ca | 2013-10-29 14:42:39 -0400 | [diff] [blame] | 80 | # ndk-gdb invokes adb pull of app_process, linker, and libc.so. |
| 81 | allow adbd zygote_exec:file r_file_perms; |
| 82 | allow adbd system_file:file r_file_perms; |
Riley Spahn | 88157ea | 2014-07-17 14:18:56 -0700 | [diff] [blame] | 83 | |
dcashman | 3e6da14 | 2014-09-09 11:38:42 -0700 | [diff] [blame] | 84 | allow adbd kernel:security read_policy; |
| 85 | |
dcashman | cd82557 | 2014-12-11 16:01:27 -0800 | [diff] [blame] | 86 | allow adbd surfaceflinger_service:service_manager find; |
Yongqin Liu | cc38e6d | 2014-12-05 13:40:22 +0800 | [diff] [blame] | 87 | allow adbd bootchart_data_file:dir search; |
| 88 | allow adbd bootchart_data_file:file r_file_perms; |
Jeff Sharkey | 93fd6f0 | 2015-04-02 16:14:40 -0700 | [diff] [blame] | 89 | |
| 90 | # Allow access to external storage; we have several visible mount points under /storage |
| 91 | # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary |
| 92 | allow adbd storage_file:dir r_dir_perms; |
| 93 | allow adbd storage_file:lnk_file r_file_perms; |
Jeff Sharkey | 3bdc0ab | 2015-04-03 09:52:02 -0700 | [diff] [blame] | 94 | allow adbd mnt_user_file:dir r_dir_perms; |
Jeff Sharkey | 93fd6f0 | 2015-04-02 16:14:40 -0700 | [diff] [blame] | 95 | allow adbd mnt_user_file:lnk_file r_file_perms; |