Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # adbd seclabel is specified in init.rc since |
| 2 | # it lives in the rootfs and has no unique file type. |
| 3 | type adbd, domain, mlstrustedsubject; |
| 4 | allow adbd adb_device:chr_file rw_file_perms; |
Stephen Smalley | 2cb1b31 | 2012-04-03 15:30:28 -0400 | [diff] [blame] | 5 | allow adbd qemu_device:chr_file rw_file_perms; |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 6 | allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin }; |
| 7 | allow adbd rootfs:file entrypoint; |
| 8 | allow adbd init:process sigchld; |
| 9 | allow adbd self:tcp_socket *; |
| 10 | allow adbd self:unix_stream_socket *; |
| 11 | allow adbd node:tcp_socket node_bind; |
| 12 | allow adbd port:tcp_socket name_bind; |
| 13 | allow adbd devpts:chr_file rw_file_perms; |
| 14 | allow adbd cgroup:dir { write add_name create }; |
| 15 | allow adbd labeledfs:filesystem remount; |
| 16 | allow adbd shell_data_file:dir rw_dir_perms; |
| 17 | allow adbd shell_data_file:file create_file_perms; |
| 18 | allow adbd graphics_device:dir search; |
| 19 | allow adbd graphics_device:chr_file r_file_perms; |
| 20 | allow adbd log_device:chr_file r_file_perms; |
| 21 | # XXX Run /system/bin/vdc to connect to vold. Run in a separate domain? |
| 22 | allow adbd system_file:file rx_file_perms; |
| 23 | unix_socket_connect(adbd, vold, vold) |
| 24 | # Talk to init via the property socket. |
| 25 | unix_socket_connect(adbd, property, init) |
| 26 | |
Stephen Smalley | c83d008 | 2012-03-07 14:59:01 -0500 | [diff] [blame] | 27 | # Run sh in its own domain. |
| 28 | domain_auto_trans(adbd, shell_exec, shell) |
| 29 | # Do not sanitize the environment of the shell. |
| 30 | allow adbd shell:process noatsecure; |
Stephen Smalley | 6261d6d | 2012-01-12 08:57:50 -0500 | [diff] [blame] | 31 | |
Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 32 | # Perform binder IPC to surfaceflinger (screencap) |
| 33 | # XXX Run screencap in a separate domain? |
| 34 | binder_use(adbd) |
| 35 | binder_call(adbd, surfaceflinger) |