1### ADB daemon 2 3typeattribute adbd coredomain; 4typeattribute adbd mlstrustedsubject; 5 6init_daemon_domain(adbd) 7 8domain_auto_trans(adbd, shell_exec, shell) 9 10userdebug_or_eng(` 11 allow adbd self:process setcurrent; 12 allow adbd su:process dyntransition; 13') 14 15# When 'adb shell' is executed in recovery mode, adbd explicitly 16# switches into shell domain using setcon() because the shell executable 17# is not labeled as shell but as rootfs. 18recovery_only(` 19 domain_trans(adbd, rootfs, shell) 20 allow adbd shell:process dyntransition; 21 22 # Allows reboot fastboot to enter fastboot directly 23 unix_socket_connect(adbd, recovery, recovery) 24') 25 26# Control Perfetto traced and obtain traces from it. 27# Needed to allow port forwarding directly to traced. 28unix_socket_connect(adbd, traced_consumer, traced) 29 30# Do not sanitize the environment or open fds of the shell. Allow signaling 31# created processes. 32allow adbd shell:process { noatsecure signal }; 33 34# Set UID and GID to shell. Set supplementary groups. 35allow adbd self:global_capability_class_set { setuid setgid }; 36 37# Drop capabilities from bounding set on user builds. 38allow adbd self:global_capability_class_set setpcap; 39 40# ignore spurious denials for adbd when disk space is low. 41dontaudit adbd self:global_capability_class_set sys_resource; 42 43# adbd probes for vsock support. Do not generate denials when 44# this occurs. (b/123569840) 45dontaudit adbd self:{ socket vsock_socket } create; 46 47# Allow adbd inside vm to forward vm's vsock. 48allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept }; 49 50# Create and use network sockets. 51net_domain(adbd) 52 53# Access /dev/usb-ffs/adb/ep0 54allow adbd functionfs:dir search; 55allow adbd functionfs:file rw_file_perms; 56allowxperm adbd functionfs:file ioctl { 57 FUNCTIONFS_ENDPOINT_DESC 58 FUNCTIONFS_CLEAR_HALT 59}; 60 61# Use a pseudo tty. 62allow adbd devpts:chr_file rw_file_perms; 63 64# adb push/pull /data/local/tmp. 65allow adbd shell_data_file:dir create_dir_perms; 66allow adbd shell_data_file:file create_file_perms; 67 68# adb pull /data/local/traces/* 69allow adbd trace_data_file:dir r_dir_perms; 70allow adbd trace_data_file:file r_file_perms; 71 72# adb pull /data/misc/profman. 73allow adbd profman_dump_data_file:dir r_dir_perms; 74allow adbd profman_dump_data_file:file r_file_perms; 75 76# adb push/pull sdcard. 77allow adbd tmpfs:dir search; 78allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink 79allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink 80allow adbd { sdcard_type fuse }:dir create_dir_perms; 81allow adbd { sdcard_type fuse }:file create_file_perms; 82 83# adb pull /data/anr/traces.txt 84allow adbd anr_data_file:dir r_dir_perms; 85allow adbd anr_data_file:file r_file_perms; 86 87# adb pull /vendor/framework/* 88allow adbd vendor_framework_file:dir r_dir_perms; 89allow adbd vendor_framework_file:file r_file_perms; 90 91# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. 92set_prop(adbd, shell_prop) 93set_prop(adbd, powerctl_prop) 94get_prop(adbd, ffs_config_prop) 95set_prop(adbd, ffs_control_prop) 96 97# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties 98set_prop(adbd, adbd_prop) 99set_prop(adbd, adbd_config_prop) 100 101# Allow adbd start/stop mdnsd via ctl.start 102set_prop(adbd, ctl_mdnsd_prop) 103 104# Access device logging gating property 105get_prop(adbd, device_logging_prop) 106 107# Read device's serial number from system properties 108get_prop(adbd, serialno_prop) 109 110# Read whether or not Test Harness Mode is enabled 111get_prop(adbd, test_harness_prop) 112 113# Read persist.adb.tls_server.enable property 114get_prop(adbd, system_adbd_prop) 115 116# Read device's overlayfs related properties and files 117userdebug_or_eng(` 118 get_prop(adbd, persistent_properties_ready_prop) 119 r_dir_file(adbd, sysfs_dt_firmware_android) 120') 121 122# Run /system/bin/bu 123allow adbd system_file:file rx_file_perms; 124 125# Perform binder IPC to surfaceflinger (screencap) 126# XXX Run screencap in a separate domain? 127binder_use(adbd) 128binder_call(adbd, surfaceflinger) 129binder_call(adbd, gpuservice) 130# b/13188914 131allow adbd gpu_device:chr_file rw_file_perms; 132allow adbd gpu_device:dir r_dir_perms; 133allow adbd ion_device:chr_file rw_file_perms; 134r_dir_file(adbd, system_file) 135 136# Needed for various screenshots 137hal_client_domain(adbd, hal_graphics_allocator) 138 139# Read /data/misc/adb/adb_keys. 140allow adbd adb_keys_file:dir search; 141allow adbd adb_keys_file:file r_file_perms; 142 143userdebug_or_eng(` 144 # Write debugging information to /data/adb 145 # when persist.adb.trace_mask is set 146 # https://code.google.com/p/android/issues/detail?id=72895 147 allow adbd adb_data_file:dir rw_dir_perms; 148 allow adbd adb_data_file:file create_file_perms; 149') 150 151# ndk-gdb invokes adb forward to forward the gdbserver socket. 152allow adbd app_data_file:dir search; 153allow adbd app_data_file:sock_file write; 154allow adbd appdomain:unix_stream_socket connectto; 155 156# ndk-gdb invokes adb pull of app_process, linker, and libc.so. 157allow adbd zygote_exec:file r_file_perms; 158allow adbd system_file:file r_file_perms; 159 160# Allow pulling the SELinux policy for CTS purposes 161allow adbd selinuxfs:dir r_dir_perms; 162allow adbd selinuxfs:file r_file_perms; 163allow adbd kernel:security read_policy; 164allow adbd service_contexts_file:file r_file_perms; 165allow adbd file_contexts_file:file r_file_perms; 166allow adbd seapp_contexts_file:file r_file_perms; 167allow adbd property_contexts_file:file r_file_perms; 168allow adbd sepolicy_file:file r_file_perms; 169 170# Allow pulling config.gz for CTS purposes 171allow adbd config_gz:file r_file_perms; 172 173# For CTS listening ports test. 174allow adbd proc_net_tcp_udp:file r_file_perms; 175 176allow adbd gpu_service:service_manager find; 177allow adbd surfaceflinger_service:service_manager find; 178allow adbd bootchart_data_file:dir search; 179allow adbd bootchart_data_file:file r_file_perms; 180 181# Allow access to external storage; we have several visible mount points under /storage 182# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 183allow adbd storage_file:dir r_dir_perms; 184allow adbd storage_file:lnk_file r_file_perms; 185allow adbd mnt_user_file:dir r_dir_perms; 186allow adbd mnt_user_file:lnk_file r_file_perms; 187 188# Access to /data/media. 189# This should be removed if sdcardfs is modified to alter the secontext for its 190# accesses to the underlying FS. 191allow adbd media_rw_data_file:dir create_dir_perms; 192allow adbd media_rw_data_file:file create_file_perms; 193 194r_dir_file(adbd, apk_data_file) 195 196allow adbd rootfs:dir r_dir_perms; 197 198# Allow killing child "perfetto" binary processes, which auto-transition to 199# their own domain. Allows propagating termination of "adb shell perfetto ..." 200# invocations. 201allow adbd perfetto:process signal; 202 203# Allow to pull Perfetto traces. 204allow adbd perfetto_traces_data_file:file r_file_perms; 205allow adbd perfetto_traces_data_file:dir r_dir_perms; 206 207# Allow to push and manage configs in /data/misc/perfetto-configs. 208allow adbd perfetto_configs_data_file:dir rw_dir_perms; 209allow adbd perfetto_configs_data_file:file create_file_perms; 210 211# Connect to shell and use a socket transferred from it. 212# Used for e.g. abb. 213allow adbd shell:unix_stream_socket { read write shutdown }; 214allow adbd shell:fd use; 215 216# Allow pull /vendor/apex files for CTS tests 217allow adbd vendor_apex_file:dir search; 218allow adbd vendor_apex_file:file r_file_perms; 219 220# Allow adb pull of updated apex files in /data/apex/active. 221allow adbd apex_data_file:dir search; 222allow adbd staging_data_file:file r_file_perms; 223 224# Allow adbd to pull /apex/apex-info-list.xml for CTS tests. 225allow adbd apex_info_file:file r_file_perms; 226 227### 228### Neverallow rules 229### 230 231# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever 232# transitions to the shell domain (except when it crashes). In particular, we 233# never want to see a transition from adbd to su (aka "adb root") 234neverallow adbd { domain -crash_dump -shell }:process transition; 235neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition; 236