1 # adbd seclabel is specified in init.rc since 2 # it lives in the rootfs and has no unique file type. 3 type adbd, domain, mlstrustedsubject; 4 allow adbd adb_device:chr_file rw_file_perms; 5 allow adbd qemu_device:chr_file rw_file_perms; 6 allow adbd self:capability { net_raw setgid setuid dac_override sys_boot sys_admin }; 7 allow adbd rootfs:file entrypoint; 8 allow adbd init:process sigchld; 9 allow adbd self:tcp_socket *; 10 allow adbd self:unix_stream_socket *; 11 allow adbd node:tcp_socket node_bind; 12 allow adbd port:tcp_socket name_bind; 13 allow adbd devpts:chr_file rw_file_perms; 14 allow adbd cgroup:dir { write add_name create }; 15 allow adbd labeledfs:filesystem remount; 16 allow adbd shell_data_file:dir rw_dir_perms; 17 allow adbd shell_data_file:file create_file_perms; 18 allow adbd graphics_device:dir search; 19 allow adbd graphics_device:chr_file r_file_perms; 20 allow adbd log_device:chr_file r_file_perms; 21 # XXX Run /system/bin/vdc to connect to vold. Run in a separate domain? 22 allow adbd system_file:file rx_file_perms; 23 unix_socket_connect(adbd, vold, vold) 24 # Talk to init via the property socket. 25 unix_socket_connect(adbd, property, init) 26 27 # Run sh in its own domain. 28 domain_auto_trans(adbd, shell_exec, shell) 29 # Do not sanitize the environment of the shell. 30 allow adbd shell:process noatsecure; 31 32 # Perform binder IPC to surfaceflinger (screencap) 33 # XXX Run screencap in a separate domain? 34 binder_use(adbd) 35 binder_call(adbd, surfaceflinger) 36