xref: /aosp_15_r20/system/sepolicy/private/adbd.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290)

### ADB daemon

typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
typeattribute adbd adbd_common;

init_daemon_domain(adbd)

domain_auto_trans(adbd, shell_exec, shell)

# Allow adb to setcon() to tradeinmode.
allow adbd self:process setcurrent;
allow adbd adbd_tradeinmode:process dyntransition;

userdebug_or_eng(`
  allow adbd su:process dyntransition;
')

# When 'adb shell' is executed in recovery mode, adbd explicitly
# switches into shell domain using setcon() because the shell executable
# is not labeled as shell but as rootfs.
recovery_only(`
  domain_trans(adbd, rootfs, shell)
  allow adbd shell:process dyntransition;

  # Allows reboot fastboot to enter fastboot directly
  unix_socket_connect(adbd, recovery, recovery)
')

# Control Perfetto traced and obtain traces from it.
# Needed to allow port forwarding directly to traced.
unix_socket_connect(adbd, traced_consumer, traced)

# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };

# Set UID and GID to shell.  Set supplementary groups.
allow adbd self:global_capability_class_set { setuid setgid };

# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;

# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:global_capability_class_set sys_resource;

# Create and use network sockets.
net_domain(adbd)
# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
allow adbd functionfs:file rw_file_perms;
allowxperm adbd functionfs:file ioctl {
  FUNCTIONFS_ENDPOINT_DESC
  FUNCTIONFS_CLEAR_HALT
};

# adb pull /data/local/traces/*
allow adbd trace_data_file:dir r_dir_perms;
allow adbd trace_data_file:file r_file_perms;

# adb pull /data/misc/profman.
allow adbd profman_dump_data_file:dir r_dir_perms;
allow adbd profman_dump_data_file:file r_file_perms;

# adb push/pull sdcard.
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
allow adbd { sdcard_type fuse }:dir create_dir_perms;
allow adbd { sdcard_type fuse }:file create_file_perms;

# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;

# adb pull /vendor/framework/*
allow adbd vendor_framework_file:dir r_dir_perms;
allow adbd vendor_framework_file:file r_file_perms;

# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
get_prop(adbd, ffs_config_prop)
set_prop(adbd, ffs_control_prop)
set_prop(adbd, adbd_tradeinmode_prop)

# Allow adbd start/stop mdnsd via ctl.start
set_prop(adbd, ctl_mdnsd_prop)

# Read device's overlayfs related properties and files
userdebug_or_eng(`
  get_prop(adbd, persistent_properties_ready_prop)
  r_dir_file(adbd, sysfs_dt_firmware_android)
')

# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;

# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd gpu_device:dir r_dir_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)

# Needed for various screenshots
hal_client_domain(adbd, hal_graphics_allocator)

# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
allow adbd adb_keys_file:file r_file_perms;

userdebug_or_eng(`
  # Write debugging information to /data/adb
  # when persist.adb.trace_mask is set
  # https://code.google.com/p/android/issues/detail?id=72895
  allow adbd adb_data_file:dir rw_dir_perms;
  allow adbd adb_data_file:file create_file_perms;
')

# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;

# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;

# Allow pulling the SELinux policy for CTS purposes
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
allow adbd service_contexts_file:file r_file_perms;
allow adbd file_contexts_file:file r_file_perms;
allow adbd seapp_contexts_file:file r_file_perms;
allow adbd property_contexts_file:file r_file_perms;
allow adbd sepolicy_file:file r_file_perms;

# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;

# For CTS listening ports test.
allow adbd proc_net_tcp_udp:file r_file_perms;

allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;

# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow adbd storage_file:dir r_dir_perms;
allow adbd storage_file:lnk_file r_file_perms;
allow adbd mnt_user_file:dir r_dir_perms;
allow adbd mnt_user_file:lnk_file r_file_perms;

# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow adbd media_rw_data_file:dir create_dir_perms;
allow adbd media_rw_data_file:file create_file_perms;

r_dir_file(adbd, apk_data_file)

allow adbd rootfs:dir r_dir_perms;

# Allow killing child "perfetto" binary processes, which auto-transition to
# their own domain. Allows propagating termination of "adb shell perfetto ..."
# invocations.
allow adbd perfetto:process signal;

# Allow to pull Perfetto traces.
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;

# Allow to push and manage configs in /data/misc/perfetto-configs.
allow adbd perfetto_configs_data_file:dir rw_dir_perms;
allow adbd perfetto_configs_data_file:file create_file_perms;

# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;

# adb push/pull /data/local/tmp.
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;

# Allow pull /vendor/apex files for CTS tests
r_dir_file(adbd, vendor_apex_file)

# Allow adb pull of updated apex files in /data/apex/active.
allow adbd apex_data_file:dir search;
allow adbd staging_data_file:file r_file_perms;

# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
allow adbd apex_info_file:file r_file_perms;

# allow reading tombstones. users can already use bugreports to get those.
allow adbd tombstone_data_file:dir r_dir_perms;
allow adbd tombstone_data_file:file r_file_perms;

# Access /data/local/tests.
allow adbd shell_test_data_file:dir create_dir_perms;
allow adbd shell_test_data_file:file create_file_perms;
allow adbd shell_test_data_file:lnk_file create_file_perms;

###
### Neverallow rules
###

# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
# transitions to the shell or tradeinmode domain (except when it crashes). In
# particular, we never want to see a transition from adbd to su (aka "adb root")
neverallow adbd { domain -crash_dump -shell -adbd_tradeinmode }:process transition;
neverallow adbd {
    domain
    userdebug_or_eng(`-su')
    recovery_only(`-shell')
    -adbd_tradeinmode
}:process dyntransition;

# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
neverallow * adbd:process dyntransition;