1# adbd seclabel is specified in init.rc since 2# it lives in the rootfs and has no unique file type. 3type adbd, domain; 4 5userdebug_or_eng(` 6 allow adbd self:process setcurrent; 7 allow adbd su:process dyntransition; 8') 9 10domain_auto_trans(adbd, shell_exec, shell) 11 12# Do not sanitize the environment or open fds of the shell. 13allow adbd shell:process noatsecure; 14 15# Set UID and GID to shell. Set supplementary groups. 16allow adbd self:capability { setuid setgid }; 17 18# Drop capabilities from bounding set on user builds. 19allow adbd self:capability setpcap; 20 21# Create and use network sockets. 22net_domain(adbd) 23 24# Access /dev/android_adb or /dev/usb-ffs/adb/ep0 25allow adbd adb_device:chr_file rw_file_perms; 26allow adbd functionfs:dir search; 27allow adbd functionfs:file rw_file_perms; 28 29# Use a pseudo tty. 30allow adbd devpts:chr_file rw_file_perms; 31 32# adb push/pull /data/local/tmp. 33allow adbd shell_data_file:dir create_dir_perms; 34allow adbd shell_data_file:file create_file_perms; 35 36# adb push/pull sdcard. 37allow adbd sdcard_type:dir create_dir_perms; 38allow adbd sdcard_type:file create_file_perms; 39 40# adb pull /data/anr/traces.txt 41allow adbd anr_data_file:dir r_dir_perms; 42allow adbd anr_data_file:file r_file_perms; 43 44# Set service.adb.*, sys.powerctl properties. 45unix_socket_connect(adbd, property, init) 46allow adbd shell_prop:property_service set; 47allow adbd powerctl_prop:property_service set; 48 49# Run /system/bin/bu 50allow adbd system_file:file rx_file_perms; 51 52# Perform binder IPC to surfaceflinger (screencap) 53# XXX Run screencap in a separate domain? 54binder_use(adbd) 55binder_call(adbd, surfaceflinger) 56# b/13188914 57allow adbd gpu_device:chr_file rw_file_perms; 58 59# Read /data/misc/adb/adb_keys. 60allow adbd adb_keys_file:dir search; 61allow adbd adb_keys_file:file r_file_perms; 62 63userdebug_or_eng(` 64 # Write debugging information to /data/adb 65 # when persist.adb.trace_mask is set 66 # https://code.google.com/p/android/issues/detail?id=72895 67 allow adbd adb_data_file:dir rw_dir_perms; 68 allow adbd adb_data_file:file create_file_perms; 69') 70 71# ndk-gdb invokes adb forward to forward the gdbserver socket. 72allow adbd app_data_file:dir search; 73allow adbd app_data_file:sock_file write; 74allow adbd appdomain:unix_stream_socket connectto; 75 76# b/18078338 - allow read access to executable types on /system 77# to assist with debugging OTA issues. 78allow adbd exec_type:file r_file_perms; 79 80# ndk-gdb invokes adb pull of app_process, linker, and libc.so. 81allow adbd zygote_exec:file r_file_perms; 82allow adbd system_file:file r_file_perms; 83 84allow adbd kernel:security read_policy; 85