• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1### ADB daemon
2
3typeattribute adbd coredomain;
4typeattribute adbd mlstrustedsubject;
5
6init_daemon_domain(adbd)
7
8domain_auto_trans(adbd, shell_exec, shell)
9
10userdebug_or_eng(`
11  allow adbd self:process setcurrent;
12  allow adbd su:process dyntransition;
13')
14
15# When 'adb shell' is executed in recovery mode, adbd explicitly
16# switches into shell domain using setcon() because the shell executable
17# is not labeled as shell but as rootfs.
18recovery_only(`
19  domain_trans(adbd, rootfs, shell)
20  allow adbd shell:process dyntransition;
21
22  # Allows reboot fastboot to enter fastboot directly
23  unix_socket_connect(adbd, recovery, recovery)
24')
25
26# Control Perfetto traced and obtain traces from it.
27# Needed to allow port forwarding directly to traced.
28unix_socket_connect(adbd, traced_consumer, traced)
29
30# Do not sanitize the environment or open fds of the shell. Allow signaling
31# created processes.
32allow adbd shell:process { noatsecure signal };
33
34# Set UID and GID to shell.  Set supplementary groups.
35allow adbd self:global_capability_class_set { setuid setgid };
36
37# Drop capabilities from bounding set on user builds.
38allow adbd self:global_capability_class_set setpcap;
39
40# ignore spurious denials for adbd when disk space is low.
41dontaudit adbd self:global_capability_class_set sys_resource;
42
43# adbd probes for vsock support. Do not generate denials when
44# this occurs. (b/123569840)
45dontaudit adbd self:{ socket vsock_socket } create;
46
47# Allow adbd inside vm to forward vm's vsock.
48allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
49
50# Create and use network sockets.
51net_domain(adbd)
52
53# Access /dev/usb-ffs/adb/ep0
54allow adbd functionfs:dir search;
55allow adbd functionfs:file rw_file_perms;
56allowxperm adbd functionfs:file ioctl {
57  FUNCTIONFS_ENDPOINT_DESC
58  FUNCTIONFS_CLEAR_HALT
59};
60
61# Use a pseudo tty.
62allow adbd devpts:chr_file rw_file_perms;
63
64# adb push/pull /data/local/tmp.
65allow adbd shell_data_file:dir create_dir_perms;
66allow adbd shell_data_file:file create_file_perms;
67
68# adb pull /data/local/traces/*
69allow adbd trace_data_file:dir r_dir_perms;
70allow adbd trace_data_file:file r_file_perms;
71
72# adb pull /data/misc/profman.
73allow adbd profman_dump_data_file:dir r_dir_perms;
74allow adbd profman_dump_data_file:file r_file_perms;
75
76# adb push/pull sdcard.
77allow adbd tmpfs:dir search;
78allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
79allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
80allow adbd sdcard_type:dir create_dir_perms;
81allow adbd sdcard_type:file create_file_perms;
82
83# adb pull /data/anr/traces.txt
84allow adbd anr_data_file:dir r_dir_perms;
85allow adbd anr_data_file:file r_file_perms;
86
87# adb pull /vendor/framework/*
88allow adbd vendor_framework_file:dir r_dir_perms;
89allow adbd vendor_framework_file:file r_file_perms;
90
91# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
92set_prop(adbd, shell_prop)
93set_prop(adbd, powerctl_prop)
94get_prop(adbd, ffs_config_prop)
95set_prop(adbd, ffs_control_prop)
96
97# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
98set_prop(adbd, adbd_prop)
99set_prop(adbd, adbd_config_prop)
100
101# Allow adbd start/stop mdnsd via ctl.start
102set_prop(adbd, ctl_mdnsd_prop)
103
104# Access device logging gating property
105get_prop(adbd, device_logging_prop)
106
107# Read device's serial number from system properties
108get_prop(adbd, serialno_prop)
109
110# Read whether or not Test Harness Mode is enabled
111get_prop(adbd, test_harness_prop)
112
113# Read persist.adb.tls_server.enable property
114get_prop(adbd, system_adbd_prop)
115
116# Read device's overlayfs related properties and files
117userdebug_or_eng(`
118  get_prop(adbd, persistent_properties_ready_prop)
119  r_dir_file(adbd, sysfs_dt_firmware_android)
120')
121
122# Run /system/bin/bu
123allow adbd system_file:file rx_file_perms;
124
125# Perform binder IPC to surfaceflinger (screencap)
126# XXX Run screencap in a separate domain?
127binder_use(adbd)
128binder_call(adbd, surfaceflinger)
129binder_call(adbd, gpuservice)
130# b/13188914
131allow adbd gpu_device:chr_file rw_file_perms;
132allow adbd ion_device:chr_file rw_file_perms;
133r_dir_file(adbd, system_file)
134
135# Needed for various screenshots
136hal_client_domain(adbd, hal_graphics_allocator)
137
138# Read /data/misc/adb/adb_keys.
139allow adbd adb_keys_file:dir search;
140allow adbd adb_keys_file:file r_file_perms;
141
142userdebug_or_eng(`
143  # Write debugging information to /data/adb
144  # when persist.adb.trace_mask is set
145  # https://code.google.com/p/android/issues/detail?id=72895
146  allow adbd adb_data_file:dir rw_dir_perms;
147  allow adbd adb_data_file:file create_file_perms;
148')
149
150# ndk-gdb invokes adb forward to forward the gdbserver socket.
151allow adbd app_data_file:dir search;
152allow adbd app_data_file:sock_file write;
153allow adbd appdomain:unix_stream_socket connectto;
154
155# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
156allow adbd zygote_exec:file r_file_perms;
157allow adbd system_file:file r_file_perms;
158
159# Allow pulling the SELinux policy for CTS purposes
160allow adbd selinuxfs:dir r_dir_perms;
161allow adbd selinuxfs:file r_file_perms;
162allow adbd kernel:security read_policy;
163allow adbd service_contexts_file:file r_file_perms;
164allow adbd file_contexts_file:file r_file_perms;
165allow adbd seapp_contexts_file:file r_file_perms;
166allow adbd property_contexts_file:file r_file_perms;
167allow adbd sepolicy_file:file r_file_perms;
168
169# Allow pulling config.gz for CTS purposes
170allow adbd config_gz:file r_file_perms;
171
172# For CTS listening ports test.
173allow adbd proc_net_tcp_udp:file r_file_perms;
174
175allow adbd gpu_service:service_manager find;
176allow adbd surfaceflinger_service:service_manager find;
177allow adbd bootchart_data_file:dir search;
178allow adbd bootchart_data_file:file r_file_perms;
179
180# Allow access to external storage; we have several visible mount points under /storage
181# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
182allow adbd storage_file:dir r_dir_perms;
183allow adbd storage_file:lnk_file r_file_perms;
184allow adbd mnt_user_file:dir r_dir_perms;
185allow adbd mnt_user_file:lnk_file r_file_perms;
186
187# Access to /data/media.
188# This should be removed if sdcardfs is modified to alter the secontext for its
189# accesses to the underlying FS.
190allow adbd media_rw_data_file:dir create_dir_perms;
191allow adbd media_rw_data_file:file create_file_perms;
192
193r_dir_file(adbd, apk_data_file)
194
195allow adbd rootfs:dir r_dir_perms;
196
197# Allow killing child "perfetto" binary processes, which auto-transition to
198# their own domain. Allows propagating termination of "adb shell perfetto ..."
199# invocations.
200allow adbd perfetto:process signal;
201
202# Allow to pull Perfetto traces.
203allow adbd perfetto_traces_data_file:file r_file_perms;
204allow adbd perfetto_traces_data_file:dir r_dir_perms;
205
206# Allow to push and manage configs in /data/misc/perfetto-configs.
207allow adbd perfetto_configs_data_file:dir rw_dir_perms;
208allow adbd perfetto_configs_data_file:file create_file_perms;
209
210# Connect to shell and use a socket transferred from it.
211# Used for e.g. abb.
212allow adbd shell:unix_stream_socket { read write shutdown };
213allow adbd shell:fd use;
214
215# Allow pull /vendor/apex files for CTS tests
216allow adbd vendor_apex_file:dir search;
217allow adbd vendor_apex_file:file r_file_perms;
218
219# Allow adb pull of updated apex files in /data/apex/active.
220allow adbd apex_data_file:dir search;
221allow adbd staging_data_file:file r_file_perms;
222
223# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
224allow adbd apex_info_file:file r_file_perms;
225
226###
227### Neverallow rules
228###
229
230# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
231# transitions to the shell domain (except when it crashes). In particular, we
232# never want to see a transition from adbd to su (aka "adb root")
233neverallow adbd { domain -crash_dump -shell }:process transition;
234neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
235