Home | History | Annotate | Download | only in sepolicy 
      1 # adbd seclabel is specified in init.rc since
      2 # it lives in the rootfs and has no unique file type.
      3 type adbd, domain;
      4 
      5 userdebug_or_eng(`
      6   allow adbd self:process setcurrent;
      7   allow adbd su:process dyntransition;
      8 ')
      9 
     10 domain_auto_trans(adbd, shell_exec, shell)
     11 
     12 # Do not sanitize the environment or open fds of the shell.
     13 allow adbd shell:process noatsecure;
     14 
     15 # Set UID and GID to shell.  Set supplementary groups.
     16 allow adbd self:capability { setuid setgid };
     17 
     18 # Drop capabilities from bounding set on user builds.
     19 allow adbd self:capability setpcap;
     20 
     21 # Create and use network sockets.
     22 net_domain(adbd)
     23 
     24 # Access /dev/android_adb or /dev/usb-ffs/adb/ep0
     25 allow adbd adb_device:chr_file rw_file_perms;
     26 allow adbd functionfs:dir search;
     27 allow adbd functionfs:file rw_file_perms;
     28 
     29 # Use a pseudo tty.
     30 allow adbd devpts:chr_file rw_file_perms;
     31 
     32 # adb push/pull /data/local/tmp.
     33 allow adbd shell_data_file:dir create_dir_perms;
     34 allow adbd shell_data_file:file create_file_perms;
     35 
     36 # adb push/pull sdcard.
     37 allow adbd sdcard_type:dir create_dir_perms;
     38 allow adbd sdcard_type:file create_file_perms;
     39 
     40 # adb pull /data/anr/traces.txt
     41 allow adbd anr_data_file:dir r_dir_perms;
     42 allow adbd anr_data_file:file r_file_perms;
     43 
     44 # Set service.adb.*, sys.powerctl properties.
     45 unix_socket_connect(adbd, property, init)
     46 allow adbd shell_prop:property_service set;
     47 allow adbd powerctl_prop:property_service set;
     48 
     49 # Run /system/bin/bu
     50 allow adbd system_file:file rx_file_perms;
     51 
     52 # Perform binder IPC to surfaceflinger (screencap)
     53 # XXX Run screencap in a separate domain?
     54 binder_use(adbd)
     55 binder_call(adbd, surfaceflinger)
     56 # b/13188914
     57 allow adbd gpu_device:chr_file rw_file_perms;
     58 
     59 # Read /data/misc/adb/adb_keys.
     60 allow adbd adb_keys_file:dir search;
     61 allow adbd adb_keys_file:file r_file_perms;
     62 
     63 # ndk-gdb invokes adb forward to forward the gdbserver socket.
     64 allow adbd app_data_file:dir search;
     65 allow adbd app_data_file:sock_file write;
     66 allow adbd appdomain:unix_stream_socket connectto;
     67 
     68 # b/18078338 - allow read access to executable types on /system
     69 # to assist with debugging OTA issues.
     70 allow adbd exec_type:file r_file_perms;
     71 
     72 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
     73 allow adbd zygote_exec:file r_file_perms;
     74 allow adbd system_file:file r_file_perms;
     75 
     76 allow adbd kernel:security read_policy;
     77