Home | History | Annotate | Download | only in sepolicy 
      1 # adbd seclabel is specified in init.rc since
      2 # it lives in the rootfs and has no unique file type.
      3 type adbd, domain;
      4 
      5 userdebug_or_eng(`
      6   allow adbd self:process setcurrent;
      7   allow adbd su:process dyntransition;
      8 ')
      9 
     10 domain_auto_trans(adbd, shell_exec, shell)
     11 
     12 # Do not sanitize the environment or open fds of the shell.
     13 allow adbd shell:process noatsecure;
     14 
     15 # Set UID and GID to shell.  Set supplementary groups.
     16 allow adbd self:capability { setuid setgid };
     17 
     18 # Drop capabilities from bounding set on user builds.
     19 allow adbd self:capability setpcap;
     20 
     21 # Create and use network sockets.
     22 net_domain(adbd)
     23 
     24 # Access /dev/android_adb or /dev/usb-ffs/adb/ep0
     25 allow adbd adb_device:chr_file rw_file_perms;
     26 allow adbd functionfs:dir search;
     27 allow adbd functionfs:file rw_file_perms;
     28 
     29 # Use a pseudo tty.
     30 allow adbd devpts:chr_file rw_file_perms;
     31 
     32 # adb push/pull /data/local/tmp.
     33 allow adbd shell_data_file:dir create_dir_perms;
     34 allow adbd shell_data_file:file create_file_perms;
     35 
     36 # adb push/pull sdcard.
     37 allow adbd sdcard_type:dir create_dir_perms;
     38 allow adbd sdcard_type:file create_file_perms;
     39 
     40 # adb pull /data/anr/traces.txt
     41 allow adbd anr_data_file:dir r_dir_perms;
     42 allow adbd anr_data_file:file r_file_perms;
     43 
     44 # Set service.adb.*, sys.powerctl properties.
     45 unix_socket_connect(adbd, property, init)
     46 allow adbd shell_prop:property_service set;
     47 allow adbd powerctl_prop:property_service set;
     48 
     49 # Run /system/bin/bu
     50 allow adbd system_file:file rx_file_perms;
     51 
     52 # Perform binder IPC to surfaceflinger (screencap)
     53 # XXX Run screencap in a separate domain?
     54 binder_use(adbd)
     55 binder_call(adbd, surfaceflinger)
     56 # b/13188914
     57 allow adbd gpu_device:chr_file rw_file_perms;
     58 
     59 # Read /data/misc/adb/adb_keys.
     60 allow adbd adb_keys_file:dir search;
     61 allow adbd adb_keys_file:file r_file_perms;
     62 
     63 userdebug_or_eng(`
     64   # Write debugging information to /data/adb
     65   # when persist.adb.trace_mask is set
     66   # https://code.google.com/p/android/issues/detail?id=72895
     67   allow adbd adb_data_file:dir rw_dir_perms;
     68   allow adbd adb_data_file:file create_file_perms;
     69 ')
     70 
     71 # ndk-gdb invokes adb forward to forward the gdbserver socket.
     72 allow adbd app_data_file:dir search;
     73 allow adbd app_data_file:sock_file write;
     74 allow adbd appdomain:unix_stream_socket connectto;
     75 
     76 # b/18078338 - allow read access to executable types on /system
     77 # to assist with debugging OTA issues.
     78 allow adbd exec_type:file r_file_perms;
     79 
     80 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
     81 allow adbd zygote_exec:file r_file_perms;
     82 allow adbd system_file:file r_file_perms;
     83 
     84 allow adbd kernel:security read_policy;
     85