1# adbd seclabel is specified in init.rc since 2# it lives in the rootfs and has no unique file type. 3type adbd, domain, mlstrustedsubject; 4 5userdebug_or_eng(` 6 allow adbd self:process setcurrent; 7 allow adbd su:process dyntransition; 8') 9 10domain_auto_trans(adbd, shell_exec, shell) 11 12# Do not sanitize the environment or open fds of the shell. 13allow adbd shell:process noatsecure; 14 15# Set UID and GID to shell. Set supplementary groups. 16allow adbd self:capability { setuid setgid }; 17 18# Drop capabilities from bounding set on user builds. 19allow adbd self:capability setpcap; 20 21# Create and use network sockets. 22net_domain(adbd) 23 24# Access /dev/android_adb or /dev/usb-ffs/adb/ep0 25allow adbd adb_device:chr_file rw_file_perms; 26allow adbd functionfs:dir search; 27allow adbd functionfs:file rw_file_perms; 28 29# Use a pseudo tty. 30allow adbd devpts:chr_file rw_file_perms; 31 32# adb push/pull /data/local/tmp. 33allow adbd shell_data_file:dir create_dir_perms; 34allow adbd shell_data_file:file create_file_perms; 35 36# adb push/pull sdcard. 37allow adbd sdcard_type:dir create_dir_perms; 38allow adbd sdcard_type:file create_file_perms; 39 40# adb pull /data/anr/traces.txt 41allow adbd anr_data_file:dir r_dir_perms; 42allow adbd anr_data_file:file r_file_perms; 43 44# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. 45set_prop(adbd, shell_prop) 46set_prop(adbd, powerctl_prop) 47set_prop(adbd, ffs_prop) 48 49# Run /system/bin/bu 50allow adbd system_file:file rx_file_perms; 51 52# Perform binder IPC to surfaceflinger (screencap) 53# XXX Run screencap in a separate domain? 54binder_use(adbd) 55binder_call(adbd, surfaceflinger) 56# b/13188914 57allow adbd gpu_device:chr_file rw_file_perms; 58 59# Read /data/misc/adb/adb_keys. 60allow adbd adb_keys_file:dir search; 61allow adbd adb_keys_file:file r_file_perms; 62 63userdebug_or_eng(` 64 # Write debugging information to /data/adb 65 # when persist.adb.trace_mask is set 66 # https://code.google.com/p/android/issues/detail?id=72895 67 allow adbd adb_data_file:dir rw_dir_perms; 68 allow adbd adb_data_file:file create_file_perms; 69') 70 71# ndk-gdb invokes adb forward to forward the gdbserver socket. 72allow adbd app_data_file:dir search; 73allow adbd app_data_file:sock_file write; 74allow adbd appdomain:unix_stream_socket connectto; 75 76# ndk-gdb invokes adb pull of app_process, linker, and libc.so. 77allow adbd zygote_exec:file r_file_perms; 78allow adbd system_file:file r_file_perms; 79 80allow adbd kernel:security read_policy; 81 82allow adbd surfaceflinger_service:service_manager find; 83allow adbd bootchart_data_file:dir search; 84allow adbd bootchart_data_file:file r_file_perms; 85 86# Allow access to external storage; we have several visible mount points under /storage 87# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 88allow adbd storage_file:dir r_dir_perms; 89allow adbd storage_file:lnk_file r_file_perms; 90allow adbd mnt_user_file:dir r_dir_perms; 91allow adbd mnt_user_file:lnk_file r_file_perms; 92