1 ### ADB daemon 2 3 typeattribute adbd coredomain; 4 typeattribute adbd mlstrustedsubject; 5 6 init_daemon_domain(adbd) 7 8 domain_auto_trans(adbd, shell_exec, shell) 9 10 userdebug_or_eng(` 11 allow adbd self:process setcurrent; 12 allow adbd su:process dyntransition; 13 ') 14 15 # Do not sanitize the environment or open fds of the shell. Allow signaling 16 # created processes. 17 allow adbd shell:process { noatsecure signal }; 18 19 # Set UID and GID to shell. Set supplementary groups. 20 allow adbd self:global_capability_class_set { setuid setgid }; 21 22 # Drop capabilities from bounding set on user builds. 23 allow adbd self:global_capability_class_set setpcap; 24 25 # Create and use network sockets. 26 net_domain(adbd) 27 28 # Access /dev/usb-ffs/adb/ep0 29 allow adbd functionfs:dir search; 30 allow adbd functionfs:file rw_file_perms; 31 32 # Use a pseudo tty. 33 allow adbd devpts:chr_file rw_file_perms; 34 35 # adb push/pull /data/local/tmp. 36 allow adbd shell_data_file:dir create_dir_perms; 37 allow adbd shell_data_file:file create_file_perms; 38 39 # adb pull /data/local/traces/* 40 allow adbd trace_data_file:dir r_dir_perms; 41 allow adbd trace_data_file:file r_file_perms; 42 43 # adb pull /data/misc/profman. 44 allow adbd profman_dump_data_file:dir r_dir_perms; 45 allow adbd profman_dump_data_file:file r_file_perms; 46 47 # adb push/pull sdcard. 48 allow adbd tmpfs:dir search; 49 allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink 50 allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink 51 allow adbd sdcard_type:dir create_dir_perms; 52 allow adbd sdcard_type:file create_file_perms; 53 54 # adb pull /data/anr/traces.txt 55 allow adbd anr_data_file:dir r_dir_perms; 56 allow adbd anr_data_file:file r_file_perms; 57 58 # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. 59 set_prop(adbd, shell_prop) 60 set_prop(adbd, powerctl_prop) 61 set_prop(adbd, ffs_prop) 62 set_prop(adbd, exported_ffs_prop) 63 64 # Access device logging gating property 65 get_prop(adbd, device_logging_prop) 66 67 # Read device's serial number from system properties 68 get_prop(adbd, serialno_prop) 69 70 # Run /system/bin/bu 71 allow adbd system_file:file rx_file_perms; 72 73 # Perform binder IPC to surfaceflinger (screencap) 74 # XXX Run screencap in a separate domain? 75 binder_use(adbd) 76 binder_call(adbd, surfaceflinger) 77 # b/13188914 78 allow adbd gpu_device:chr_file rw_file_perms; 79 allow adbd ion_device:chr_file rw_file_perms; 80 r_dir_file(adbd, system_file) 81 82 # Needed for various screenshots 83 hal_client_domain(adbd, hal_graphics_allocator) 84 85 # Read /data/misc/adb/adb_keys. 86 allow adbd adb_keys_file:dir search; 87 allow adbd adb_keys_file:file r_file_perms; 88 89 userdebug_or_eng(` 90 # Write debugging information to /data/adb 91 # when persist.adb.trace_mask is set 92 # https://code.google.com/p/android/issues/detail?id=72895 93 allow adbd adb_data_file:dir rw_dir_perms; 94 allow adbd adb_data_file:file create_file_perms; 95 ') 96 97 # ndk-gdb invokes adb forward to forward the gdbserver socket. 98 allow adbd app_data_file:dir search; 99 allow adbd app_data_file:sock_file write; 100 allow adbd appdomain:unix_stream_socket connectto; 101 102 # ndk-gdb invokes adb pull of app_process, linker, and libc.so. 103 allow adbd zygote_exec:file r_file_perms; 104 allow adbd system_file:file r_file_perms; 105 106 # Allow pulling the SELinux policy for CTS purposes 107 allow adbd selinuxfs:dir r_dir_perms; 108 allow adbd selinuxfs:file r_file_perms; 109 allow adbd kernel:security read_policy; 110 allow adbd service_contexts_file:file r_file_perms; 111 allow adbd file_contexts_file:file r_file_perms; 112 allow adbd seapp_contexts_file:file r_file_perms; 113 allow adbd property_contexts_file:file r_file_perms; 114 allow adbd sepolicy_file:file r_file_perms; 115 116 # Allow pulling config.gz for CTS purposes 117 allow adbd config_gz:file r_file_perms; 118 119 allow adbd surfaceflinger_service:service_manager find; 120 allow adbd bootchart_data_file:dir search; 121 allow adbd bootchart_data_file:file r_file_perms; 122 123 # Allow access to external storage; we have several visible mount points under /storage 124 # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 125 allow adbd storage_file:dir r_dir_perms; 126 allow adbd storage_file:lnk_file r_file_perms; 127 allow adbd mnt_user_file:dir r_dir_perms; 128 allow adbd mnt_user_file:lnk_file r_file_perms; 129 130 # Access to /data/media. 131 # This should be removed if sdcardfs is modified to alter the secontext for its 132 # accesses to the underlying FS. 133 allow adbd media_rw_data_file:dir create_dir_perms; 134 allow adbd media_rw_data_file:file create_file_perms; 135 136 r_dir_file(adbd, apk_data_file) 137 138 allow adbd rootfs:dir r_dir_perms; 139 140 ### 141 ### Neverallow rules 142 ### 143 144 # No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever 145 # transitions to the shell domain (except when it crashes). In particular, we 146 # never want to see a transition from adbd to su (aka "adb root") 147 neverallow adbd { domain -crash_dump -shell }:process transition; 148 neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition; 149