Home | History | Annotate | Download | only in private 
      1 ### ADB daemon
      2 
      3 typeattribute adbd coredomain;
      4 typeattribute adbd mlstrustedsubject;
      5 
      6 init_daemon_domain(adbd)
      7 
      8 domain_auto_trans(adbd, shell_exec, shell)
      9 
     10 userdebug_or_eng(`
     11   allow adbd self:process setcurrent;
     12   allow adbd su:process dyntransition;
     13 ')
     14 
     15 # Do not sanitize the environment or open fds of the shell. Allow signaling
     16 # created processes.
     17 allow adbd shell:process { noatsecure signal };
     18 
     19 # Set UID and GID to shell.  Set supplementary groups.
     20 allow adbd self:capability { setuid setgid };
     21 
     22 # Drop capabilities from bounding set on user builds.
     23 allow adbd self:capability setpcap;
     24 
     25 # Create and use network sockets.
     26 net_domain(adbd)
     27 
     28 # Access /dev/usb-ffs/adb/ep0
     29 allow adbd functionfs:dir search;
     30 allow adbd functionfs:file rw_file_perms;
     31 
     32 # Use a pseudo tty.
     33 allow adbd devpts:chr_file rw_file_perms;
     34 
     35 # adb push/pull /data/local/tmp.
     36 allow adbd shell_data_file:dir create_dir_perms;
     37 allow adbd shell_data_file:file create_file_perms;
     38 
     39 # adb pull /data/misc/profman.
     40 allow adbd profman_dump_data_file:dir r_dir_perms;
     41 allow adbd profman_dump_data_file:file r_file_perms;
     42 
     43 # adb push/pull sdcard.
     44 allow adbd tmpfs:dir search;
     45 allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
     46 allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
     47 allow adbd sdcard_type:dir create_dir_perms;
     48 allow adbd sdcard_type:file create_file_perms;
     49 
     50 # adb pull /data/anr/traces.txt
     51 allow adbd anr_data_file:dir r_dir_perms;
     52 allow adbd anr_data_file:file r_file_perms;
     53 
     54 # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
     55 set_prop(adbd, shell_prop)
     56 set_prop(adbd, powerctl_prop)
     57 set_prop(adbd, ffs_prop)
     58 
     59 # Access device logging gating property
     60 get_prop(adbd, device_logging_prop)
     61 
     62 # Read device's serial number from system properties
     63 get_prop(adbd, serialno_prop)
     64 
     65 # Run /system/bin/bu
     66 allow adbd system_file:file rx_file_perms;
     67 
     68 # Perform binder IPC to surfaceflinger (screencap)
     69 # XXX Run screencap in a separate domain?
     70 binder_use(adbd)
     71 binder_call(adbd, surfaceflinger)
     72 # b/13188914
     73 allow adbd gpu_device:chr_file rw_file_perms;
     74 allow adbd ion_device:chr_file rw_file_perms;
     75 r_dir_file(adbd, system_file)
     76 
     77 # Needed for various screenshots
     78 hal_client_domain(adbd, hal_graphics_allocator)
     79 
     80 # Read /data/misc/adb/adb_keys.
     81 allow adbd adb_keys_file:dir search;
     82 allow adbd adb_keys_file:file r_file_perms;
     83 
     84 userdebug_or_eng(`
     85   # Write debugging information to /data/adb
     86   # when persist.adb.trace_mask is set
     87   # https://code.google.com/p/android/issues/detail?id=72895
     88   allow adbd adb_data_file:dir rw_dir_perms;
     89   allow adbd adb_data_file:file create_file_perms;
     90 ')
     91 
     92 # ndk-gdb invokes adb forward to forward the gdbserver socket.
     93 allow adbd app_data_file:dir search;
     94 allow adbd app_data_file:sock_file write;
     95 allow adbd appdomain:unix_stream_socket connectto;
     96 
     97 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
     98 allow adbd zygote_exec:file r_file_perms;
     99 allow adbd system_file:file r_file_perms;
    100 
    101 # Allow pulling the SELinux policy for CTS purposes
    102 allow adbd selinuxfs:dir r_dir_perms;
    103 allow adbd selinuxfs:file r_file_perms;
    104 allow adbd kernel:security read_policy;
    105 allow adbd service_contexts_file:file r_file_perms;
    106 allow adbd file_contexts_file:file r_file_perms;
    107 allow adbd seapp_contexts_file:file r_file_perms;
    108 allow adbd property_contexts_file:file r_file_perms;
    109 allow adbd sepolicy_file:file r_file_perms;
    110 
    111 # Allow pulling config.gz for CTS purposes
    112 allow adbd config_gz:file r_file_perms;
    113 
    114 allow adbd surfaceflinger_service:service_manager find;
    115 allow adbd bootchart_data_file:dir search;
    116 allow adbd bootchart_data_file:file r_file_perms;
    117 
    118 # Allow access to external storage; we have several visible mount points under /storage
    119 # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
    120 allow adbd storage_file:dir r_dir_perms;
    121 allow adbd storage_file:lnk_file r_file_perms;
    122 allow adbd mnt_user_file:dir r_dir_perms;
    123 allow adbd mnt_user_file:lnk_file r_file_perms;
    124 
    125 # Access to /data/media.
    126 # This should be removed if sdcardfs is modified to alter the secontext for its
    127 # accesses to the underlying FS.
    128 allow adbd media_rw_data_file:dir create_dir_perms;
    129 allow adbd media_rw_data_file:file create_file_perms;
    130 
    131 r_dir_file(adbd, apk_data_file)
    132 
    133 allow adbd rootfs:dir r_dir_perms;
    134 
    135 ###
    136 ### Neverallow rules
    137 ###
    138 
    139 # No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
    140 # transitions to the shell domain (except when it crashes). In particular, we
    141 # never want to see a transition from adbd to su (aka "adb root")
    142 neverallow adbd { domain -crash_dump -shell }:process transition;
    143 neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
    144