Home | History | Annotate | Download | only in sepolicy 
      1 # adbd seclabel is specified in init.rc since
      2 # it lives in the rootfs and has no unique file type.
      3 type adbd, domain, mlstrustedsubject;
      4 
      5 userdebug_or_eng(`
      6   allow adbd self:process setcurrent;
      7   allow adbd su:process dyntransition;
      8 ')
      9 
     10 domain_auto_trans(adbd, shell_exec, shell)
     11 
     12 # Do not sanitize the environment or open fds of the shell. Allow signaling
     13 # created processes.
     14 allow adbd shell:process { noatsecure signal };
     15 
     16 # Set UID and GID to shell.  Set supplementary groups.
     17 allow adbd self:capability { setuid setgid };
     18 
     19 # Drop capabilities from bounding set on user builds.
     20 allow adbd self:capability setpcap;
     21 
     22 # Create and use network sockets.
     23 net_domain(adbd)
     24 
     25 # Access /dev/android_adb or /dev/usb-ffs/adb/ep0
     26 allow adbd adb_device:chr_file rw_file_perms;
     27 allow adbd functionfs:dir search;
     28 allow adbd functionfs:file rw_file_perms;
     29 
     30 # Use a pseudo tty.
     31 allow adbd devpts:chr_file rw_file_perms;
     32 
     33 # adb push/pull /data/local/tmp.
     34 allow adbd shell_data_file:dir create_dir_perms;
     35 allow adbd shell_data_file:file create_file_perms;
     36 
     37 # adb pull /data/misc/profman.
     38 allow adbd profman_dump_data_file:dir r_dir_perms;
     39 allow adbd profman_dump_data_file:file r_file_perms;
     40 
     41 # adb push/pull sdcard.
     42 allow adbd tmpfs:dir search;
     43 allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
     44 allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
     45 allow adbd sdcard_type:dir create_dir_perms;
     46 allow adbd sdcard_type:file create_file_perms;
     47 
     48 # adb pull /data/anr/traces.txt
     49 allow adbd anr_data_file:dir r_dir_perms;
     50 allow adbd anr_data_file:file r_file_perms;
     51 
     52 # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
     53 set_prop(adbd, shell_prop)
     54 set_prop(adbd, powerctl_prop)
     55 set_prop(adbd, ffs_prop)
     56 
     57 # Access device logging gating property
     58 get_prop(adbd, device_logging_prop)
     59 
     60 # Run /system/bin/bu
     61 allow adbd system_file:file rx_file_perms;
     62 
     63 # Perform binder IPC to surfaceflinger (screencap)
     64 # XXX Run screencap in a separate domain?
     65 binder_use(adbd)
     66 binder_call(adbd, surfaceflinger)
     67 # b/13188914
     68 allow adbd gpu_device:chr_file rw_file_perms;
     69 allow adbd ion_device:chr_file rw_file_perms;
     70 r_dir_file(adbd, system_file)
     71 
     72 # Read /data/misc/adb/adb_keys.
     73 allow adbd adb_keys_file:dir search;
     74 allow adbd adb_keys_file:file r_file_perms;
     75 
     76 userdebug_or_eng(`
     77   # Write debugging information to /data/adb
     78   # when persist.adb.trace_mask is set
     79   # https://code.google.com/p/android/issues/detail?id=72895
     80   allow adbd adb_data_file:dir rw_dir_perms;
     81   allow adbd adb_data_file:file create_file_perms;
     82 ')
     83 
     84 # ndk-gdb invokes adb forward to forward the gdbserver socket.
     85 allow adbd { app_data_file autoplay_data_file }:dir search;
     86 allow adbd { app_data_file autoplay_data_file }:sock_file write;
     87 allow adbd { appdomain autoplay_app }:unix_stream_socket connectto;
     88 
     89 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
     90 allow adbd zygote_exec:file r_file_perms;
     91 allow adbd system_file:file r_file_perms;
     92 
     93 # Allow pulling the SELinux policy for CTS purposes
     94 allow adbd selinuxfs:dir r_dir_perms;
     95 allow adbd selinuxfs:file r_file_perms;
     96 allow adbd kernel:security read_policy;
     97 
     98 allow adbd surfaceflinger_service:service_manager find;
     99 allow adbd bootchart_data_file:dir search;
    100 allow adbd bootchart_data_file:file r_file_perms;
    101 
    102 # Allow access to external storage; we have several visible mount points under /storage
    103 # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
    104 allow adbd storage_file:dir r_dir_perms;
    105 allow adbd storage_file:lnk_file r_file_perms;
    106 allow adbd mnt_user_file:dir r_dir_perms;
    107 allow adbd mnt_user_file:lnk_file r_file_perms;
    108 
    109 # Access to /data/media.
    110 # This should be removed if sdcardfs is modified to alter the secontext for its
    111 # accesses to the underlying FS.
    112 allow adbd media_rw_data_file:dir create_dir_perms;
    113 allow adbd media_rw_data_file:file create_file_perms;
    114 
    115 r_dir_file(adbd, apk_data_file)
    116