sepolicy/adbd.te - nest-cam/4320010/sepolicy - Git at Google

 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type adbd, domain, mlstrustedsubject;

 userdebug_or_eng(`
   allow adbd self:process setcurrent;
   allow adbd su:process dyntransition;
 ')

 domain_auto_trans(adbd, shell_exec, shell)

 # Do not sanitize the environment or open fds of the shell. Allow signaling
 # created processes.
 allow adbd shell:process { noatsecure signal };

 # Set UID and GID to shell.  Set supplementary groups.
 allow adbd self:capability { setuid setgid };

 # Drop capabilities from bounding set on user builds.
 allow adbd self:capability setpcap;

 # Create and use network sockets.
 net_domain(adbd)

 # Access /dev/android_adb or /dev/usb-ffs/adb/ep0
 allow adbd adb_device:chr_file rw_file_perms;
 allow adbd functionfs:dir search;
 allow adbd functionfs:file rw_file_perms;

 # Use a pseudo tty.
 allow adbd devpts:chr_file rw_file_perms;

 # adb push/pull /data/local/tmp.
 allow adbd shell_data_file:dir create_dir_perms;
 allow adbd shell_data_file:file create_file_perms;

 # adb push/pull sdcard.
 allow adbd tmpfs:dir search;
 allow adbd rootfs:lnk_file r_file_perms;
 allow adbd sdcard_type:dir create_dir_perms;
 allow adbd sdcard_type:file create_file_perms;

 # adb pull /data/anr/traces.txt
 allow adbd anr_data_file:dir r_dir_perms;
 allow adbd anr_data_file:file r_file_perms;

 # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
 set_prop(adbd, shell_prop)
 set_prop(adbd, powerctl_prop)
 set_prop(adbd, ffs_prop)

 # Access device logging gating property
 get_prop(adbd, device_logging_prop)

 # Run /system/bin/bu
 allow adbd system_file:file rx_file_perms;

 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?
 binder_use(adbd)
 binder_call(adbd, surfaceflinger)
 # b/13188914
 allow adbd gpu_device:chr_file rw_file_perms;
 allow adbd ion_device:chr_file rw_file_perms;
 r_dir_file(adbd, system_file)

 # Read /data/misc/adb/adb_keys.
 allow adbd adb_keys_file:dir search;
 allow adbd adb_keys_file:file r_file_perms;

 userdebug_or_eng(`
   # Write debugging information to /data/adb
   # when persist.adb.trace_mask is set
   # https://code.google.com/p/android/issues/detail?id=72895
   allow adbd adb_data_file:dir rw_dir_perms;
   allow adbd adb_data_file:file create_file_perms;
 ')

 # ndk-gdb invokes adb forward to forward the gdbserver socket.
 allow adbd app_data_file:dir search;
 allow adbd app_data_file:sock_file write;
 allow adbd appdomain:unix_stream_socket connectto;

 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;

 # Allow pulling the SELinux policy for CTS purposes
 allow adbd selinuxfs:dir r_dir_perms;
 allow adbd selinuxfs:file r_file_perms;
 allow adbd kernel:security read_policy;

 allow adbd surfaceflinger_service:service_manager find;
 allow adbd bootchart_data_file:dir search;
 allow adbd bootchart_data_file:file r_file_perms;

 # Allow access to external storage; we have several visible mount points under /storage
 # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
 allow adbd storage_file:dir r_dir_perms;
 allow adbd storage_file:lnk_file r_file_perms;
 allow adbd mnt_user_file:dir r_dir_perms;
 allow adbd mnt_user_file:lnk_file r_file_perms;

 r_dir_file(adbd, apk_data_file)

 allow adbd rootfs:dir r_dir_perms;

 ###
 ### Neverallow rules
 ###

 # No transitions from adbd to non-shell domains. adbd only ever
 # transitions to the shell domain. In particular, we never want
 # to see a transition from adbd to su (aka "adb root")
 neverallow adbd { domain -shell }:process transition;
 neverallow adbd { domain -su }:process dyntransition;
	# adbd seclabel is specified in init.rc since
	# it lives in the rootfs and has no unique file type.
	type adbd, domain, mlstrustedsubject;

	userdebug_or_eng(`
	allow adbd self:process setcurrent;
	allow adbd su:process dyntransition;
	')

	domain_auto_trans(adbd, shell_exec, shell)

	# Do not sanitize the environment or open fds of the shell. Allow signaling
	# created processes.
	allow adbd shell:process { noatsecure signal };

	# Set UID and GID to shell. Set supplementary groups.
	allow adbd self:capability { setuid setgid };

	# Drop capabilities from bounding set on user builds.
	allow adbd self:capability setpcap;

	# Create and use network sockets.
	net_domain(adbd)

	# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
	allow adbd adb_device:chr_file rw_file_perms;
	allow adbd functionfs:dir search;
	allow adbd functionfs:file rw_file_perms;

	# Use a pseudo tty.
	allow adbd devpts:chr_file rw_file_perms;

	# adb push/pull /data/local/tmp.
	allow adbd shell_data_file:dir create_dir_perms;
	allow adbd shell_data_file:file create_file_perms;

	# adb push/pull sdcard.
	allow adbd tmpfs:dir search;
	allow adbd rootfs:lnk_file r_file_perms;
	allow adbd sdcard_type:dir create_dir_perms;
	allow adbd sdcard_type:file create_file_perms;

	# adb pull /data/anr/traces.txt
	allow adbd anr_data_file:dir r_dir_perms;
	allow adbd anr_data_file:file r_file_perms;

	# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
	set_prop(adbd, shell_prop)
	set_prop(adbd, powerctl_prop)
	set_prop(adbd, ffs_prop)

	# Access device logging gating property
	get_prop(adbd, device_logging_prop)

	# Run /system/bin/bu
	allow adbd system_file:file rx_file_perms;

	# Perform binder IPC to surfaceflinger (screencap)
	# XXX Run screencap in a separate domain?
	binder_use(adbd)
	binder_call(adbd, surfaceflinger)
	# b/13188914
	allow adbd gpu_device:chr_file rw_file_perms;
	allow adbd ion_device:chr_file rw_file_perms;
	r_dir_file(adbd, system_file)

	# Read /data/misc/adb/adb_keys.
	allow adbd adb_keys_file:dir search;
	allow adbd adb_keys_file:file r_file_perms;

	userdebug_or_eng(`
	# Write debugging information to /data/adb
	# when persist.adb.trace_mask is set
	# https://code.google.com/p/android/issues/detail?id=72895
	allow adbd adb_data_file:dir rw_dir_perms;
	allow adbd adb_data_file:file create_file_perms;
	')

	# ndk-gdb invokes adb forward to forward the gdbserver socket.
	allow adbd app_data_file:dir search;
	allow adbd app_data_file:sock_file write;
	allow adbd appdomain:unix_stream_socket connectto;

	# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
	allow adbd zygote_exec:file r_file_perms;
	allow adbd system_file:file r_file_perms;

	# Allow pulling the SELinux policy for CTS purposes
	allow adbd selinuxfs:dir r_dir_perms;
	allow adbd selinuxfs:file r_file_perms;
	allow adbd kernel:security read_policy;

	allow adbd surfaceflinger_service:service_manager find;
	allow adbd bootchart_data_file:dir search;
	allow adbd bootchart_data_file:file r_file_perms;

	# Allow access to external storage; we have several visible mount points under /storage
	# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
	allow adbd storage_file:dir r_dir_perms;
	allow adbd storage_file:lnk_file r_file_perms;
	allow adbd mnt_user_file:dir r_dir_perms;
	allow adbd mnt_user_file:lnk_file r_file_perms;

	r_dir_file(adbd, apk_data_file)

	allow adbd rootfs:dir r_dir_perms;

	###
	### Neverallow rules
	###

	# No transitions from adbd to non-shell domains. adbd only ever
	# transitions to the shell domain. In particular, we never want
	# to see a transition from adbd to su (aka "adb root")
	neverallow adbd { domain -shell }:process transition;
	neverallow adbd { domain -su }:process dyntransition;