Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # adbd seclabel is specified in init.rc since |
| 2 | # it lives in the rootfs and has no unique file type. |
repo sync | 77d4731 | 2013-05-17 17:11:29 -0700 | [diff] [blame] | 3 | type adbd, domain; |
Nick Kralevich | 570e5f4 | 2014-01-11 00:25:01 -0800 | [diff] [blame] | 4 | |
| 5 | userdebug_or_eng(` |
Stephen Smalley | 356f4be | 2014-05-23 11:26:19 -0400 | [diff] [blame] | 6 | allow adbd self:process setcurrent; |
Nick Kralevich | 7d0f955 | 2014-01-18 18:07:06 -0800 | [diff] [blame] | 7 | allow adbd su:process dyntransition; |
Nick Kralevich | 570e5f4 | 2014-01-11 00:25:01 -0800 | [diff] [blame] | 8 | ') |
| 9 | |
Stephen Smalley | c83d008 | 2012-03-07 14:59:01 -0500 | [diff] [blame] | 10 | domain_auto_trans(adbd, shell_exec, shell) |
Stephen Smalley | 5554075 | 2013-09-30 13:54:09 -0400 | [diff] [blame] | 11 | |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 12 | # Do not sanitize the environment or open fds of the shell. |
| 13 | allow adbd shell:process noatsecure; |
| 14 | |
| 15 | # Set UID and GID to shell. Set supplementary groups. |
| 16 | allow adbd self:capability { setuid setgid }; |
| 17 | |
Nick Kralevich | 40ce0bb | 2014-01-11 14:11:45 -0800 | [diff] [blame] | 18 | # Drop capabilities from bounding set on user builds. |
| 19 | allow adbd self:capability setpcap; |
| 20 | |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 21 | # Create and use network sockets. |
| 22 | net_domain(adbd) |
| 23 | |
Nick Kralevich | 77cc055 | 2014-04-15 14:53:05 -0700 | [diff] [blame] | 24 | # Access /dev/android_adb or /dev/usb-ffs/adb/ep0 |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 25 | allow adbd adb_device:chr_file rw_file_perms; |
Nick Kralevich | 77cc055 | 2014-04-15 14:53:05 -0700 | [diff] [blame] | 26 | allow adbd functionfs:dir search; |
| 27 | allow adbd functionfs:file rw_file_perms; |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 28 | |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 29 | # Use a pseudo tty. |
| 30 | allow adbd devpts:chr_file rw_file_perms; |
| 31 | |
| 32 | # adb push/pull /data/local/tmp. |
Nick Kralevich | 98b7ab5 | 2014-06-08 13:47:33 -0700 | [diff] [blame] | 33 | allow adbd shell_data_file:dir create_dir_perms; |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 34 | allow adbd shell_data_file:file create_file_perms; |
| 35 | |
| 36 | # adb push/pull sdcard. |
| 37 | allow adbd sdcard_type:dir create_dir_perms; |
| 38 | allow adbd sdcard_type:file create_file_perms; |
| 39 | |
Nick Kralevich | 4fd4a20 | 2014-06-05 13:27:44 -0700 | [diff] [blame] | 40 | # adb pull /data/anr/traces.txt |
| 41 | allow adbd anr_data_file:dir r_dir_perms; |
| 42 | allow adbd anr_data_file:file r_file_perms; |
| 43 | |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 44 | # Set service.adb.*, sys.powerctl properties. |
| 45 | unix_socket_connect(adbd, property, init) |
| 46 | allow adbd shell_prop:property_service set; |
| 47 | allow adbd powerctl_prop:property_service set; |
| 48 | |
Nick Kralevich | 24b5622 | 2014-02-05 14:06:26 -0800 | [diff] [blame] | 49 | # Run /system/bin/bu |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 50 | allow adbd system_file:file rx_file_perms; |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 51 | |
| 52 | # Perform binder IPC to surfaceflinger (screencap) |
| 53 | # XXX Run screencap in a separate domain? |
| 54 | binder_use(adbd) |
| 55 | binder_call(adbd, surfaceflinger) |
dcashman | ddde8c2 | 2014-03-12 10:27:02 -0700 | [diff] [blame] | 56 | # b/13188914 |
| 57 | allow adbd gpu_device:chr_file rw_file_perms; |
Stephen Smalley | 81e74b1 | 2014-01-02 15:46:39 -0500 | [diff] [blame] | 58 | |
Stephen Smalley | 5554075 | 2013-09-30 13:54:09 -0400 | [diff] [blame] | 59 | # Read /data/misc/adb/adb_keys. |
| 60 | allow adbd adb_keys_file:dir search; |
| 61 | allow adbd adb_keys_file:file r_file_perms; |
| 62 | |
Nick Kralevich | 7adc8cf | 2014-10-20 21:56:02 -0700 | [diff] [blame] | 63 | userdebug_or_eng(` |
| 64 | # Write debugging information to /data/adb |
| 65 | # when persist.adb.trace_mask is set |
| 66 | # https://code.google.com/p/android/issues/detail?id=72895 |
| 67 | allow adbd adb_data_file:dir rw_dir_perms; |
| 68 | allow adbd adb_data_file:file create_file_perms; |
| 69 | ') |
| 70 | |
Stephen Smalley | 48759ca | 2013-10-29 14:42:39 -0400 | [diff] [blame] | 71 | # ndk-gdb invokes adb forward to forward the gdbserver socket. |
| 72 | allow adbd app_data_file:dir search; |
| 73 | allow adbd app_data_file:sock_file write; |
| 74 | allow adbd appdomain:unix_stream_socket connectto; |
| 75 | |
Nick Kralevich | 2c38b3b | 2014-10-21 22:39:42 -0700 | [diff] [blame] | 76 | # b/18078338 - allow read access to executable types on /system |
| 77 | # to assist with debugging OTA issues. |
| 78 | allow adbd exec_type:file r_file_perms; |
| 79 | |
Stephen Smalley | 48759ca | 2013-10-29 14:42:39 -0400 | [diff] [blame] | 80 | # ndk-gdb invokes adb pull of app_process, linker, and libc.so. |
| 81 | allow adbd zygote_exec:file r_file_perms; |
| 82 | allow adbd system_file:file r_file_perms; |
dcashman | 309cc66 | 2014-09-09 11:38:42 -0700 | [diff] [blame] | 83 | |
| 84 | allow adbd kernel:security read_policy; |