1### ADB daemon
2
3typeattribute adbd coredomain;
4typeattribute adbd mlstrustedsubject;
5
6init_daemon_domain(adbd)
7
8domain_auto_trans(adbd, shell_exec, shell)
9
10userdebug_or_eng(`
11  allow adbd self:process setcurrent;
12  allow adbd su:process dyntransition;
13')
14
15# Do not sanitize the environment or open fds of the shell. Allow signaling
16# created processes.
17allow adbd shell:process { noatsecure signal };
18
19# Set UID and GID to shell.  Set supplementary groups.
20allow adbd self:capability { setuid setgid };
21
22# Drop capabilities from bounding set on user builds.
23allow adbd self:capability setpcap;
24
25# Create and use network sockets.
26net_domain(adbd)
27
28# Access /dev/usb-ffs/adb/ep0
29allow adbd functionfs:dir search;
30allow adbd functionfs:file rw_file_perms;
31
32# Use a pseudo tty.
33allow adbd devpts:chr_file rw_file_perms;
34
35# adb push/pull /data/local/tmp.
36allow adbd shell_data_file:dir create_dir_perms;
37allow adbd shell_data_file:file create_file_perms;
38
39# adb pull /data/misc/profman.
40allow adbd profman_dump_data_file:dir r_dir_perms;
41allow adbd profman_dump_data_file:file r_file_perms;
42
43# adb push/pull sdcard.
44allow adbd tmpfs:dir search;
45allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
46allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
47allow adbd sdcard_type:dir create_dir_perms;
48allow adbd sdcard_type:file create_file_perms;
49
50# adb pull /data/anr/traces.txt
51allow adbd anr_data_file:dir r_dir_perms;
52allow adbd anr_data_file:file r_file_perms;
53
54# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
55set_prop(adbd, shell_prop)
56set_prop(adbd, powerctl_prop)
57set_prop(adbd, ffs_prop)
58
59# Access device logging gating property
60get_prop(adbd, device_logging_prop)
61
62# Read device's serial number from system properties
63get_prop(adbd, serialno_prop)
64
65# Run /system/bin/bu
66allow adbd system_file:file rx_file_perms;
67
68# Perform binder IPC to surfaceflinger (screencap)
69# XXX Run screencap in a separate domain?
70binder_use(adbd)
71binder_call(adbd, surfaceflinger)
72# b/13188914
73allow adbd gpu_device:chr_file rw_file_perms;
74allow adbd ion_device:chr_file rw_file_perms;
75r_dir_file(adbd, system_file)
76
77# Needed for various screenshots
78hal_client_domain(adbd, hal_graphics_allocator)
79
80# Read /data/misc/adb/adb_keys.
81allow adbd adb_keys_file:dir search;
82allow adbd adb_keys_file:file r_file_perms;
83
84userdebug_or_eng(`
85  # Write debugging information to /data/adb
86  # when persist.adb.trace_mask is set
87  # https://code.google.com/p/android/issues/detail?id=72895
88  allow adbd adb_data_file:dir rw_dir_perms;
89  allow adbd adb_data_file:file create_file_perms;
90')
91
92# ndk-gdb invokes adb forward to forward the gdbserver socket.
93allow adbd app_data_file:dir search;
94allow adbd app_data_file:sock_file write;
95allow adbd appdomain:unix_stream_socket connectto;
96
97# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
98allow adbd zygote_exec:file r_file_perms;
99allow adbd system_file:file r_file_perms;
100
101# Allow pulling the SELinux policy for CTS purposes
102allow adbd selinuxfs:dir r_dir_perms;
103allow adbd selinuxfs:file r_file_perms;
104allow adbd kernel:security read_policy;
105allow adbd service_contexts_file:file r_file_perms;
106allow adbd file_contexts_file:file r_file_perms;
107allow adbd seapp_contexts_file:file r_file_perms;
108allow adbd property_contexts_file:file r_file_perms;
109allow adbd sepolicy_file:file r_file_perms;
110
111# Allow pulling config.gz for CTS purposes
112allow adbd config_gz:file r_file_perms;
113
114allow adbd surfaceflinger_service:service_manager find;
115allow adbd bootchart_data_file:dir search;
116allow adbd bootchart_data_file:file r_file_perms;
117
118# Allow access to external storage; we have several visible mount points under /storage
119# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
120allow adbd storage_file:dir r_dir_perms;
121allow adbd storage_file:lnk_file r_file_perms;
122allow adbd mnt_user_file:dir r_dir_perms;
123allow adbd mnt_user_file:lnk_file r_file_perms;
124
125# Access to /data/media.
126# This should be removed if sdcardfs is modified to alter the secontext for its
127# accesses to the underlying FS.
128allow adbd media_rw_data_file:dir create_dir_perms;
129allow adbd media_rw_data_file:file create_file_perms;
130
131r_dir_file(adbd, apk_data_file)
132
133allow adbd rootfs:dir r_dir_perms;
134
135###
136### Neverallow rules
137###
138
139# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
140# transitions to the shell domain (except when it crashes). In particular, we
141# never want to see a transition from adbd to su (aka "adb root")
142neverallow adbd { domain -crash_dump -shell }:process transition;
143neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
144