1### ADB daemon 2 3typeattribute adbd coredomain; 4typeattribute adbd mlstrustedsubject; 5typeattribute adbd adbd_common; 6 7init_daemon_domain(adbd) 8 9domain_auto_trans(adbd, shell_exec, shell) 10 11# Allow adb to setcon() to tradeinmode. 12allow adbd self:process setcurrent; 13allow adbd adbd_tradeinmode:process dyntransition; 14 15userdebug_or_eng(` 16 allow adbd su:process dyntransition; 17') 18 19# When 'adb shell' is executed in recovery mode, adbd explicitly 20# switches into shell domain using setcon() because the shell executable 21# is not labeled as shell but as rootfs. 22recovery_only(` 23 domain_trans(adbd, rootfs, shell) 24 allow adbd shell:process dyntransition; 25 26 # Allows reboot fastboot to enter fastboot directly 27 unix_socket_connect(adbd, recovery, recovery) 28') 29 30# Control Perfetto traced and obtain traces from it. 31# Needed to allow port forwarding directly to traced. 32unix_socket_connect(adbd, traced_consumer, traced) 33 34# Do not sanitize the environment or open fds of the shell. Allow signaling 35# created processes. 36allow adbd shell:process { noatsecure signal }; 37 38# Set UID and GID to shell. Set supplementary groups. 39allow adbd self:global_capability_class_set { setuid setgid }; 40 41# Drop capabilities from bounding set on user builds. 42allow adbd self:global_capability_class_set setpcap; 43 44# ignore spurious denials for adbd when disk space is low. 45dontaudit adbd self:global_capability_class_set sys_resource; 46 47# Create and use network sockets. 48net_domain(adbd) 49# Access /dev/usb-ffs/adb/ep0 50allow adbd functionfs:dir search; 51allow adbd functionfs:file rw_file_perms; 52allowxperm adbd functionfs:file ioctl { 53 FUNCTIONFS_ENDPOINT_DESC 54 FUNCTIONFS_CLEAR_HALT 55}; 56 57# adb pull /data/local/traces/* 58allow adbd trace_data_file:dir r_dir_perms; 59allow adbd trace_data_file:file r_file_perms; 60 61# adb pull /data/misc/profman. 62allow adbd profman_dump_data_file:dir r_dir_perms; 63allow adbd profman_dump_data_file:file r_file_perms; 64 65# adb push/pull sdcard. 66allow adbd tmpfs:dir search; 67allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink 68allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink 69allow adbd { sdcard_type fuse }:dir create_dir_perms; 70allow adbd { sdcard_type fuse }:file create_file_perms; 71 72# adb pull /data/anr/traces.txt 73allow adbd anr_data_file:dir r_dir_perms; 74allow adbd anr_data_file:file r_file_perms; 75 76# adb pull /vendor/framework/* 77allow adbd vendor_framework_file:dir r_dir_perms; 78allow adbd vendor_framework_file:file r_file_perms; 79 80# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. 81set_prop(adbd, shell_prop) 82set_prop(adbd, powerctl_prop) 83get_prop(adbd, ffs_config_prop) 84set_prop(adbd, ffs_control_prop) 85set_prop(adbd, adbd_tradeinmode_prop) 86 87# Allow adbd start/stop mdnsd via ctl.start 88set_prop(adbd, ctl_mdnsd_prop) 89 90# Read device's overlayfs related properties and files 91userdebug_or_eng(` 92 get_prop(adbd, persistent_properties_ready_prop) 93 r_dir_file(adbd, sysfs_dt_firmware_android) 94') 95 96# Run /system/bin/bu 97allow adbd system_file:file rx_file_perms; 98 99# Perform binder IPC to surfaceflinger (screencap) 100# XXX Run screencap in a separate domain? 101binder_use(adbd) 102binder_call(adbd, surfaceflinger) 103binder_call(adbd, gpuservice) 104# b/13188914 105allow adbd gpu_device:chr_file rw_file_perms; 106allow adbd gpu_device:dir r_dir_perms; 107allow adbd ion_device:chr_file rw_file_perms; 108r_dir_file(adbd, system_file) 109 110# Needed for various screenshots 111hal_client_domain(adbd, hal_graphics_allocator) 112 113# Read /data/misc/adb/adb_keys. 114allow adbd adb_keys_file:dir search; 115allow adbd adb_keys_file:file r_file_perms; 116 117userdebug_or_eng(` 118 # Write debugging information to /data/adb 119 # when persist.adb.trace_mask is set 120 # https://code.google.com/p/android/issues/detail?id=72895 121 allow adbd adb_data_file:dir rw_dir_perms; 122 allow adbd adb_data_file:file create_file_perms; 123') 124 125# ndk-gdb invokes adb forward to forward the gdbserver socket. 126allow adbd app_data_file:dir search; 127allow adbd app_data_file:sock_file write; 128allow adbd appdomain:unix_stream_socket connectto; 129 130# ndk-gdb invokes adb pull of app_process, linker, and libc.so. 131allow adbd zygote_exec:file r_file_perms; 132allow adbd system_file:file r_file_perms; 133 134# Allow pulling the SELinux policy for CTS purposes 135allow adbd selinuxfs:dir r_dir_perms; 136allow adbd selinuxfs:file r_file_perms; 137allow adbd kernel:security read_policy; 138allow adbd service_contexts_file:file r_file_perms; 139allow adbd file_contexts_file:file r_file_perms; 140allow adbd seapp_contexts_file:file r_file_perms; 141allow adbd property_contexts_file:file r_file_perms; 142allow adbd sepolicy_file:file r_file_perms; 143 144# Allow pulling config.gz for CTS purposes 145allow adbd config_gz:file r_file_perms; 146 147# For CTS listening ports test. 148allow adbd proc_net_tcp_udp:file r_file_perms; 149 150allow adbd gpu_service:service_manager find; 151allow adbd surfaceflinger_service:service_manager find; 152allow adbd bootchart_data_file:dir search; 153allow adbd bootchart_data_file:file r_file_perms; 154 155# Allow access to external storage; we have several visible mount points under /storage 156# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary 157allow adbd storage_file:dir r_dir_perms; 158allow adbd storage_file:lnk_file r_file_perms; 159allow adbd mnt_user_file:dir r_dir_perms; 160allow adbd mnt_user_file:lnk_file r_file_perms; 161 162# Access to /data/media. 163# This should be removed if sdcardfs is modified to alter the secontext for its 164# accesses to the underlying FS. 165allow adbd media_rw_data_file:dir create_dir_perms; 166allow adbd media_rw_data_file:file create_file_perms; 167 168r_dir_file(adbd, apk_data_file) 169 170allow adbd rootfs:dir r_dir_perms; 171 172# Allow killing child "perfetto" binary processes, which auto-transition to 173# their own domain. Allows propagating termination of "adb shell perfetto ..." 174# invocations. 175allow adbd perfetto:process signal; 176 177# Allow to pull Perfetto traces. 178allow adbd perfetto_traces_data_file:file r_file_perms; 179allow adbd perfetto_traces_data_file:dir r_dir_perms; 180 181# Allow to push and manage configs in /data/misc/perfetto-configs. 182allow adbd perfetto_configs_data_file:dir rw_dir_perms; 183allow adbd perfetto_configs_data_file:file create_file_perms; 184 185# Connect to shell and use a socket transferred from it. 186# Used for e.g. abb. 187allow adbd shell:unix_stream_socket { read write shutdown }; 188allow adbd shell:fd use; 189 190# adb push/pull /data/local/tmp. 191allow adbd shell_data_file:dir create_dir_perms; 192allow adbd shell_data_file:file create_file_perms; 193 194# Allow pull /vendor/apex files for CTS tests 195r_dir_file(adbd, vendor_apex_file) 196 197# Allow adb pull of updated apex files in /data/apex/active. 198allow adbd apex_data_file:dir search; 199allow adbd staging_data_file:file r_file_perms; 200 201# Allow adbd to pull /apex/apex-info-list.xml for CTS tests. 202allow adbd apex_info_file:file r_file_perms; 203 204# allow reading tombstones. users can already use bugreports to get those. 205allow adbd tombstone_data_file:dir r_dir_perms; 206allow adbd tombstone_data_file:file r_file_perms; 207 208# Access /data/local/tests. 209allow adbd shell_test_data_file:dir create_dir_perms; 210allow adbd shell_test_data_file:file create_file_perms; 211allow adbd shell_test_data_file:lnk_file create_file_perms; 212 213### 214### Neverallow rules 215### 216 217# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever 218# transitions to the shell or tradeinmode domain (except when it crashes). In 219# particular, we never want to see a transition from adbd to su (aka "adb root") 220neverallow adbd { domain -crash_dump -shell -adbd_tradeinmode }:process transition; 221neverallow adbd { 222 domain 223 userdebug_or_eng(`-su') 224 recovery_only(`-shell') 225 -adbd_tradeinmode 226}:process dyntransition; 227 228# Only init is allowed to enter the adbd domain via exec() 229neverallow { domain -init } adbd:process transition; 230neverallow * adbd:process dyntransition; 231