1 # adbd seclabel is specified in init.rc since 2 # it lives in the rootfs and has no unique file type. 3 type adbd, domain; 4 5 userdebug_or_eng(` 6 allow adbd self:process setcurrent; 7 allow adbd su:process dyntransition; 8 ') 9 10 domain_auto_trans(adbd, shell_exec, shell) 11 12 # Do not sanitize the environment or open fds of the shell. 13 allow adbd shell:process noatsecure; 14 15 # Set UID and GID to shell. Set supplementary groups. 16 allow adbd self:capability { setuid setgid }; 17 18 # Drop capabilities from bounding set on user builds. 19 allow adbd self:capability setpcap; 20 21 # Create and use network sockets. 22 net_domain(adbd) 23 24 # Access /dev/android_adb or /dev/usb-ffs/adb/ep0 25 allow adbd adb_device:chr_file rw_file_perms; 26 allow adbd functionfs:dir search; 27 allow adbd functionfs:file rw_file_perms; 28 29 # Use a pseudo tty. 30 allow adbd devpts:chr_file rw_file_perms; 31 32 # adb push/pull /data/local/tmp. 33 allow adbd shell_data_file:dir create_dir_perms; 34 allow adbd shell_data_file:file create_file_perms; 35 36 # adb push/pull sdcard. 37 allow adbd sdcard_type:dir create_dir_perms; 38 allow adbd sdcard_type:file create_file_perms; 39 40 # adb pull /data/anr/traces.txt 41 allow adbd anr_data_file:dir r_dir_perms; 42 allow adbd anr_data_file:file r_file_perms; 43 44 # Set service.adb.*, sys.powerctl properties. 45 unix_socket_connect(adbd, property, init) 46 allow adbd shell_prop:property_service set; 47 allow adbd powerctl_prop:property_service set; 48 49 # Run /system/bin/bu 50 allow adbd system_file:file rx_file_perms; 51 52 # Perform binder IPC to surfaceflinger (screencap) 53 # XXX Run screencap in a separate domain? 54 binder_use(adbd) 55 binder_call(adbd, surfaceflinger) 56 # b/13188914 57 allow adbd gpu_device:chr_file rw_file_perms; 58 59 # Read /data/misc/adb/adb_keys. 60 allow adbd adb_keys_file:dir search; 61 allow adbd adb_keys_file:file r_file_perms; 62 63 userdebug_or_eng(` 64 # Write debugging information to /data/adb 65 # when persist.adb.trace_mask is set 66 # https://code.google.com/p/android/issues/detail?id=72895 67 allow adbd adb_data_file:dir rw_dir_perms; 68 allow adbd adb_data_file:file create_file_perms; 69 ') 70 71 # ndk-gdb invokes adb forward to forward the gdbserver socket. 72 allow adbd app_data_file:dir search; 73 allow adbd app_data_file:sock_file write; 74 allow adbd appdomain:unix_stream_socket connectto; 75 76 # b/18078338 - allow read access to executable types on /system 77 # to assist with debugging OTA issues. 78 allow adbd exec_type:file r_file_perms; 79 80 # ndk-gdb invokes adb pull of app_process, linker, and libc.so. 81 allow adbd zygote_exec:file r_file_perms; 82 allow adbd system_file:file r_file_perms; 83 84 allow adbd kernel:security read_policy; 85