Skip to content
Snippets Groups Projects
Normal view History Permalink
adbd.te 4.18 KiB
Newer Older
Alex Klyubin's avatar
Move adbd policy to private  
Alex Klyubin committed
1 2 3 4 
### ADB daemon

typeattribute adbd mlstrustedsubject;
dcashman's avatar
Split general policy into public and private components.
dcashman committed
5 
domain_auto_trans(adbd, shell_exec, shell)
Alex Klyubin's avatar
Move adbd policy to private  
Alex Klyubin committed
6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 

userdebug_or_eng(`
  allow adbd self:process setcurrent;
  allow adbd su:process dyntransition;
')

# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };

# Set UID and GID to shell.  Set supplementary groups.
allow adbd self:capability { setuid setgid };

# Drop capabilities from bounding set on user builds.
allow adbd self:capability setpcap;

# Create and use network sockets.
net_domain(adbd)

# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
allow adbd functionfs:file rw_file_perms;

# Use a pseudo tty.
allow adbd devpts:chr_file rw_file_perms;

# adb push/pull /data/local/tmp.
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;

# adb pull /data/misc/profman.
allow adbd profman_dump_data_file:dir r_dir_perms;
allow adbd profman_dump_data_file:file r_file_perms;

# adb push/pull sdcard.
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
allow adbd sdcard_type:dir create_dir_perms;
allow adbd sdcard_type:file create_file_perms;

# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;

# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
set_prop(adbd, ffs_prop)

# Access device logging gating property
get_prop(adbd, device_logging_prop)

# Read device's serial number from system properties
get_prop(adbd, serialno_prop)

# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;

# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
Chia-I Wu's avatar
Allow adbd to use graphics fds  
Chia-I Wu committed
73 74 75 
# Needed for Android Studio screenshot
hwbinder_use(adbd)
allow adbd hal_graphics_allocator:fd use;
Alex Klyubin's avatar
Move adbd policy to private  
Alex Klyubin committed
76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 

# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
allow adbd adb_keys_file:file r_file_perms;

userdebug_or_eng(`
  # Write debugging information to /data/adb
  # when persist.adb.trace_mask is set
  # https://code.google.com/p/android/issues/detail?id=72895
  allow adbd adb_data_file:dir rw_dir_perms;
  allow adbd adb_data_file:file create_file_perms;
')

# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;

# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;

# Allow pulling the SELinux policy for CTS purposes
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;

allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;

# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow adbd storage_file:dir r_dir_perms;
allow adbd storage_file:lnk_file r_file_perms;
allow adbd mnt_user_file:dir r_dir_perms;
allow adbd mnt_user_file:lnk_file r_file_perms;

# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow adbd media_rw_data_file:dir create_dir_perms;
allow adbd media_rw_data_file:file create_file_perms;

r_dir_file(adbd, apk_data_file)

allow adbd rootfs:dir r_dir_perms;

###
### Neverallow rules
###

# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
# transitions to the shell domain (except when it crashes). In particular, we
# never want to see a transition from adbd to su (aka "adb root")
neverallow adbd { domain -crash_dump -shell }:process transition;
neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;