1# adbd seclabel is specified in init.rc since 2# it lives in the rootfs and has no unique file type. 3type adbd, domain, mlstrustedsubject; 4 5userdebug_or_eng(` 6 allow adbd self:process setcurrent; 7 allow adbd su:process dyntransition; 8') 9 10domain_auto_trans(adbd, shell_exec, shell) 11 12# Do not sanitize the environment or open fds of the shell. Allow signaling 13# created processes. 14allow adbd shell:process { noatsecure signal }; 15 16# Set UID and GID to shell. Set supplementary groups. 17allow adbd self:capability { setuid setgid }; 18 19# Drop capabilities from bounding set on user builds. 20allow adbd self:capability setpcap; 21 22# Create and use network sockets. 23net_domain(adbd) 24 25# Access /dev/android_adb or /dev/usb-ffs/adb/ep0 26allow adbd adb_device:chr_file rw_file_perms; 27allow adbd functionfs:dir search; 28allow adbd functionfs:file rw_file_perms; 29 30# Use a pseudo tty. 31allow adbd devpts:chr_file rw_file_perms; 32 33# adb push/pull /data/local/tmp. 34allow adbd shell_data_file:dir create_dir_perms; 35allow adbd shell_data_file:file create_file_perms; 36 37# adb pull /data/misc/profman. 38allow adbd profman_dump_data_file:dir r_dir_perms; 39allow adbd profman_dump_data_file:file r_file_perms; 40 41# adb push/pull sdcard. 42allow adbd tmpfs:dir search; 43allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink 44allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink 45allow adbd sdcard_type:dir create_dir_perms; 46allow adbd sdcard_type:file create_file_perms; 47 48# adb pull /data/anr/traces.txt 49allow adbd anr_data_file:dir r_dir_perms; 50allow adbd anr_data_file:file r_file_perms; 51 52# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. 53set_prop(adbd, shell_prop) 54set_prop(adbd, powerctl_prop) 55set_prop(adbd, ffs_prop) 56 57# Access device logging gating property 58get_prop(adbd, device_logging_prop) 59 60# Run /system/bin/bu 61allow adbd system_file:file rx_file_perms; 62 63# Perform binder IPC to surfaceflinger (screencap) 64# XXX Run screencap in a separate domain? 65binder_use(adbd) 66binder_call(adbd, surfaceflinger) 67# b/13188914 68allow adbd gpu_device:chr_file rw_file_perms; 69allow adbd ion_device:chr_file rw_file_perms; 70r_dir_file(adbd, system_file) 71 72# Read /data/misc/adb/adb_keys. 73allow adbd adb_keys_file:dir search; 74allow adbd adb_keys_file:file r_file_perms; 75 76userdebug_or_eng(` 77 # Write debugging information to /data/adb 78 # when persist.adb.trace_mask is set 79 # https://code.google.com/p/android/issues/detail?id=72895 80 allow adbd adb_data_file:dir rw_dir_perms; 81 allow adbd adb_data_file:file create_file_perms; 82') 83 84# ndk-gdb invokes adb forward to forward the gdbserver socket. 85allow adbd { app_data_file autoplay_data_file }:dir search; 86allow adbd { app_data_file autoplay_data_file }:sock_file write; 87allow adbd { appdomain autoplay_app }:unix_stream_socket connectto; 88 89# ndk-gdb invokes adb pull of app_process, linker, and libc.so. 90allow adbd zygote_exec:file r_file_perms; 91allow adbd system_file:file r_file_perms; 92 93# Allow pulling the SELinux policy for CTS purposes 94allow adbd selinuxfs:dir r_dir_perms; 95allow adbd selinuxfs:file r_file_perms; 96allow adbd kernel:security read_policy; 97 98allow adbd surfaceflinger_service:service_manager find; 99allow adbd bootchart_data_file:dir search; 100allow adbd bootchart_data_file:file r_file_perms; 101 102# Allow access to external storage; we have several visible mount points under /storage 103# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 104allow adbd storage_file:dir r_dir_perms; 105allow adbd storage_file:lnk_file r_file_perms; 106allow adbd mnt_user_file:dir r_dir_perms; 107allow adbd mnt_user_file:lnk_file r_file_perms; 108 109# Access to /data/media. 110# This should be removed if sdcardfs is modified to alter the secontext for its 111# accesses to the underlying FS. 112allow adbd media_rw_data_file:dir create_dir_perms; 113allow adbd media_rw_data_file:file create_file_perms; 114