1# adbd seclabel is specified in init.rc since
2# it lives in the rootfs and has no unique file type.
3type adbd, domain, mlstrustedsubject;
4
5userdebug_or_eng(`
6  allow adbd self:process setcurrent;
7  allow adbd su:process dyntransition;
8')
9
10domain_auto_trans(adbd, shell_exec, shell)
11
12# Do not sanitize the environment or open fds of the shell. Allow signaling
13# created processes.
14allow adbd shell:process { noatsecure signal };
15
16# Set UID and GID to shell.  Set supplementary groups.
17allow adbd self:capability { setuid setgid };
18
19# Drop capabilities from bounding set on user builds.
20allow adbd self:capability setpcap;
21
22# Create and use network sockets.
23net_domain(adbd)
24
25# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
26allow adbd adb_device:chr_file rw_file_perms;
27allow adbd functionfs:dir search;
28allow adbd functionfs:file rw_file_perms;
29
30# Use a pseudo tty.
31allow adbd devpts:chr_file rw_file_perms;
32
33# adb push/pull /data/local/tmp.
34allow adbd shell_data_file:dir create_dir_perms;
35allow adbd shell_data_file:file create_file_perms;
36
37# adb pull /data/misc/profman.
38allow adbd profman_dump_data_file:dir r_dir_perms;
39allow adbd profman_dump_data_file:file r_file_perms;
40
41# adb push/pull sdcard.
42allow adbd tmpfs:dir search;
43allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
44allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
45allow adbd sdcard_type:dir create_dir_perms;
46allow adbd sdcard_type:file create_file_perms;
47
48# adb pull /data/anr/traces.txt
49allow adbd anr_data_file:dir r_dir_perms;
50allow adbd anr_data_file:file r_file_perms;
51
52# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
53set_prop(adbd, shell_prop)
54set_prop(adbd, powerctl_prop)
55set_prop(adbd, ffs_prop)
56
57# Access device logging gating property
58get_prop(adbd, device_logging_prop)
59
60# Run /system/bin/bu
61allow adbd system_file:file rx_file_perms;
62
63# Perform binder IPC to surfaceflinger (screencap)
64# XXX Run screencap in a separate domain?
65binder_use(adbd)
66binder_call(adbd, surfaceflinger)
67# b/13188914
68allow adbd gpu_device:chr_file rw_file_perms;
69allow adbd ion_device:chr_file rw_file_perms;
70r_dir_file(adbd, system_file)
71
72# Read /data/misc/adb/adb_keys.
73allow adbd adb_keys_file:dir search;
74allow adbd adb_keys_file:file r_file_perms;
75
76userdebug_or_eng(`
77  # Write debugging information to /data/adb
78  # when persist.adb.trace_mask is set
79  # https://code.google.com/p/android/issues/detail?id=72895
80  allow adbd adb_data_file:dir rw_dir_perms;
81  allow adbd adb_data_file:file create_file_perms;
82')
83
84# ndk-gdb invokes adb forward to forward the gdbserver socket.
85allow adbd { app_data_file autoplay_data_file }:dir search;
86allow adbd { app_data_file autoplay_data_file }:sock_file write;
87allow adbd { appdomain autoplay_app }:unix_stream_socket connectto;
88
89# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
90allow adbd zygote_exec:file r_file_perms;
91allow adbd system_file:file r_file_perms;
92
93# Allow pulling the SELinux policy for CTS purposes
94allow adbd selinuxfs:dir r_dir_perms;
95allow adbd selinuxfs:file r_file_perms;
96allow adbd kernel:security read_policy;
97
98allow adbd surfaceflinger_service:service_manager find;
99allow adbd bootchart_data_file:dir search;
100allow adbd bootchart_data_file:file r_file_perms;
101
102# Allow access to external storage; we have several visible mount points under /storage
103# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
104allow adbd storage_file:dir r_dir_perms;
105allow adbd storage_file:lnk_file r_file_perms;
106allow adbd mnt_user_file:dir r_dir_perms;
107allow adbd mnt_user_file:lnk_file r_file_perms;
108
109# Access to /data/media.
110# This should be removed if sdcardfs is modified to alter the secontext for its
111# accesses to the underlying FS.
112allow adbd media_rw_data_file:dir create_dir_perms;
113allow adbd media_rw_data_file:file create_file_perms;
114