1### ADB daemon 2 3typeattribute adbd coredomain; 4typeattribute adbd mlstrustedsubject; 5 6domain_auto_trans(adbd, shell_exec, shell) 7 8userdebug_or_eng(` 9 allow adbd self:process setcurrent; 10 allow adbd su:process dyntransition; 11') 12 13# Do not sanitize the environment or open fds of the shell. Allow signaling 14# created processes. 15allow adbd shell:process { noatsecure signal }; 16 17# Set UID and GID to shell. Set supplementary groups. 18allow adbd self:capability { setuid setgid }; 19 20# Drop capabilities from bounding set on user builds. 21allow adbd self:capability setpcap; 22 23# Create and use network sockets. 24net_domain(adbd) 25 26# Access /dev/usb-ffs/adb/ep0 27allow adbd functionfs:dir search; 28allow adbd functionfs:file rw_file_perms; 29 30# Use a pseudo tty. 31allow adbd devpts:chr_file rw_file_perms; 32 33# adb push/pull /data/local/tmp. 34allow adbd shell_data_file:dir create_dir_perms; 35allow adbd shell_data_file:file create_file_perms; 36 37# adb pull /data/misc/profman. 38allow adbd profman_dump_data_file:dir r_dir_perms; 39allow adbd profman_dump_data_file:file r_file_perms; 40 41# adb push/pull sdcard. 42allow adbd tmpfs:dir search; 43allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink 44allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink 45allow adbd sdcard_type:dir create_dir_perms; 46allow adbd sdcard_type:file create_file_perms; 47 48# adb pull /data/anr/traces.txt 49allow adbd anr_data_file:dir r_dir_perms; 50allow adbd anr_data_file:file r_file_perms; 51 52# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. 53set_prop(adbd, shell_prop) 54set_prop(adbd, powerctl_prop) 55set_prop(adbd, ffs_prop) 56 57# Access device logging gating property 58get_prop(adbd, device_logging_prop) 59 60# Read device's serial number from system properties 61get_prop(adbd, serialno_prop) 62 63# Run /system/bin/bu 64allow adbd system_file:file rx_file_perms; 65 66# Perform binder IPC to surfaceflinger (screencap) 67# XXX Run screencap in a separate domain? 68binder_use(adbd) 69binder_call(adbd, surfaceflinger) 70# b/13188914 71allow adbd gpu_device:chr_file rw_file_perms; 72allow adbd ion_device:chr_file rw_file_perms; 73r_dir_file(adbd, system_file) 74 75# Needed for various screenshots 76hal_client_domain(adbd, hal_graphics_allocator) 77 78# Read /data/misc/adb/adb_keys. 79allow adbd adb_keys_file:dir search; 80allow adbd adb_keys_file:file r_file_perms; 81 82userdebug_or_eng(` 83 # Write debugging information to /data/adb 84 # when persist.adb.trace_mask is set 85 # https://code.google.com/p/android/issues/detail?id=72895 86 allow adbd adb_data_file:dir rw_dir_perms; 87 allow adbd adb_data_file:file create_file_perms; 88') 89 90# ndk-gdb invokes adb forward to forward the gdbserver socket. 91allow adbd app_data_file:dir search; 92allow adbd app_data_file:sock_file write; 93allow adbd appdomain:unix_stream_socket connectto; 94 95# ndk-gdb invokes adb pull of app_process, linker, and libc.so. 96allow adbd zygote_exec:file r_file_perms; 97allow adbd system_file:file r_file_perms; 98 99# Allow pulling the SELinux policy for CTS purposes 100allow adbd selinuxfs:dir r_dir_perms; 101allow adbd selinuxfs:file r_file_perms; 102allow adbd kernel:security read_policy; 103allow adbd service_contexts_file:file r_file_perms; 104allow adbd file_contexts_file:file r_file_perms; 105allow adbd seapp_contexts_file:file r_file_perms; 106allow adbd property_contexts_file:file r_file_perms; 107allow adbd sepolicy_file:file r_file_perms; 108 109# Allow pulling config.gz for CTS purposes 110allow adbd config_gz:file r_file_perms; 111 112allow adbd surfaceflinger_service:service_manager find; 113allow adbd bootchart_data_file:dir search; 114allow adbd bootchart_data_file:file r_file_perms; 115 116# Allow access to external storage; we have several visible mount points under /storage 117# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 118allow adbd storage_file:dir r_dir_perms; 119allow adbd storage_file:lnk_file r_file_perms; 120allow adbd mnt_user_file:dir r_dir_perms; 121allow adbd mnt_user_file:lnk_file r_file_perms; 122 123# Access to /data/media. 124# This should be removed if sdcardfs is modified to alter the secontext for its 125# accesses to the underlying FS. 126allow adbd media_rw_data_file:dir create_dir_perms; 127allow adbd media_rw_data_file:file create_file_perms; 128 129r_dir_file(adbd, apk_data_file) 130 131allow adbd rootfs:dir r_dir_perms; 132 133### 134### Neverallow rules 135### 136 137# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever 138# transitions to the shell domain (except when it crashes). In particular, we 139# never want to see a transition from adbd to su (aka "adb root") 140neverallow adbd { domain -crash_dump -shell }:process transition; 141neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition; 142