Home | History | Annotate | Download | only in private 
      1 ### ADB daemon
      2 
      3 typeattribute adbd coredomain;
      4 typeattribute adbd mlstrustedsubject;
      5 
      6 init_daemon_domain(adbd)
      7 
      8 domain_auto_trans(adbd, shell_exec, shell)
      9 
     10 userdebug_or_eng(`
     11   allow adbd self:process setcurrent;
     12   allow adbd su:process dyntransition;
     13 ')
     14 
     15 # Do not sanitize the environment or open fds of the shell. Allow signaling
     16 # created processes.
     17 allow adbd shell:process { noatsecure signal };
     18 
     19 # Set UID and GID to shell.  Set supplementary groups.
     20 allow adbd self:global_capability_class_set { setuid setgid };
     21 
     22 # Drop capabilities from bounding set on user builds.
     23 allow adbd self:global_capability_class_set setpcap;
     24 
     25 # Create and use network sockets.
     26 net_domain(adbd)
     27 
     28 # Access /dev/usb-ffs/adb/ep0
     29 allow adbd functionfs:dir search;
     30 allow adbd functionfs:file rw_file_perms;
     31 
     32 # Use a pseudo tty.
     33 allow adbd devpts:chr_file rw_file_perms;
     34 
     35 # adb push/pull /data/local/tmp.
     36 allow adbd shell_data_file:dir create_dir_perms;
     37 allow adbd shell_data_file:file create_file_perms;
     38 
     39 # adb pull /data/local/traces/*
     40 allow adbd trace_data_file:dir r_dir_perms;
     41 allow adbd trace_data_file:file r_file_perms;
     42 
     43 # adb pull /data/misc/profman.
     44 allow adbd profman_dump_data_file:dir r_dir_perms;
     45 allow adbd profman_dump_data_file:file r_file_perms;
     46 
     47 # adb push/pull sdcard.
     48 allow adbd tmpfs:dir search;
     49 allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
     50 allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
     51 allow adbd sdcard_type:dir create_dir_perms;
     52 allow adbd sdcard_type:file create_file_perms;
     53 
     54 # adb pull /data/anr/traces.txt
     55 allow adbd anr_data_file:dir r_dir_perms;
     56 allow adbd anr_data_file:file r_file_perms;
     57 
     58 # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
     59 set_prop(adbd, shell_prop)
     60 set_prop(adbd, powerctl_prop)
     61 set_prop(adbd, ffs_prop)
     62 set_prop(adbd, exported_ffs_prop)
     63 
     64 # Access device logging gating property
     65 get_prop(adbd, device_logging_prop)
     66 
     67 # Read device's serial number from system properties
     68 get_prop(adbd, serialno_prop)
     69 
     70 # Run /system/bin/bu
     71 allow adbd system_file:file rx_file_perms;
     72 
     73 # Perform binder IPC to surfaceflinger (screencap)
     74 # XXX Run screencap in a separate domain?
     75 binder_use(adbd)
     76 binder_call(adbd, surfaceflinger)
     77 # b/13188914
     78 allow adbd gpu_device:chr_file rw_file_perms;
     79 allow adbd ion_device:chr_file rw_file_perms;
     80 r_dir_file(adbd, system_file)
     81 
     82 # Needed for various screenshots
     83 hal_client_domain(adbd, hal_graphics_allocator)
     84 
     85 # Read /data/misc/adb/adb_keys.
     86 allow adbd adb_keys_file:dir search;
     87 allow adbd adb_keys_file:file r_file_perms;
     88 
     89 userdebug_or_eng(`
     90   # Write debugging information to /data/adb
     91   # when persist.adb.trace_mask is set
     92   # https://code.google.com/p/android/issues/detail?id=72895
     93   allow adbd adb_data_file:dir rw_dir_perms;
     94   allow adbd adb_data_file:file create_file_perms;
     95 ')
     96 
     97 # ndk-gdb invokes adb forward to forward the gdbserver socket.
     98 allow adbd app_data_file:dir search;
     99 allow adbd app_data_file:sock_file write;
    100 allow adbd appdomain:unix_stream_socket connectto;
    101 
    102 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
    103 allow adbd zygote_exec:file r_file_perms;
    104 allow adbd system_file:file r_file_perms;
    105 
    106 # Allow pulling the SELinux policy for CTS purposes
    107 allow adbd selinuxfs:dir r_dir_perms;
    108 allow adbd selinuxfs:file r_file_perms;
    109 allow adbd kernel:security read_policy;
    110 allow adbd service_contexts_file:file r_file_perms;
    111 allow adbd file_contexts_file:file r_file_perms;
    112 allow adbd seapp_contexts_file:file r_file_perms;
    113 allow adbd property_contexts_file:file r_file_perms;
    114 allow adbd sepolicy_file:file r_file_perms;
    115 
    116 # Allow pulling config.gz for CTS purposes
    117 allow adbd config_gz:file r_file_perms;
    118 
    119 allow adbd surfaceflinger_service:service_manager find;
    120 allow adbd bootchart_data_file:dir search;
    121 allow adbd bootchart_data_file:file r_file_perms;
    122 
    123 # Allow access to external storage; we have several visible mount points under /storage
    124 # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
    125 allow adbd storage_file:dir r_dir_perms;
    126 allow adbd storage_file:lnk_file r_file_perms;
    127 allow adbd mnt_user_file:dir r_dir_perms;
    128 allow adbd mnt_user_file:lnk_file r_file_perms;
    129 
    130 # Access to /data/media.
    131 # This should be removed if sdcardfs is modified to alter the secontext for its
    132 # accesses to the underlying FS.
    133 allow adbd media_rw_data_file:dir create_dir_perms;
    134 allow adbd media_rw_data_file:file create_file_perms;
    135 
    136 r_dir_file(adbd, apk_data_file)
    137 
    138 allow adbd rootfs:dir r_dir_perms;
    139 
    140 ###
    141 ### Neverallow rules
    142 ###
    143 
    144 # No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
    145 # transitions to the shell domain (except when it crashes). In particular, we
    146 # never want to see a transition from adbd to su (aka "adb root")
    147 neverallow adbd { domain -crash_dump -shell }:process transition;
    148 neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
    149