Adb root is supported in Microdroid on user builds
In Android, adb root is disabled at build-time by not compiling sepolicies which allows adbd to run in the `su` domain. However in Microdroid, adb root should be supported even on user builds because fully-debuggable VMs can be started and adb root is expected there. Note that adb root is still not supported in non-debuggable VMs by not starting it at all. This change removes `userdebug_or_end` conditions from the policies for adb root. In addition, the `su` domain where adbd runs when rooted is explicitly marked as a permissive domain allowed. Bug: 259729287 Test: build a user variant, run fully debuggable microdroid VM. adb root works there. Test: run non-debuggable microdroid VM. adb shell (not even adb root) doesn't work. Change-Id: I8bb40b7472dcda6619a587e832e22d3cb290c6b9
This commit is contained in:
Jiyong Park
parent
ef56721555
commit
c99fde9178
4 changed files with 49 additions and 44 deletions
|
|
@ -241,6 +241,11 @@ se_policy_binary {
|
|||
":microdroid_vendor_sepolicy.cil",
|
||||
],
|
||||
installable: false,
|
||||
|
||||
// b/259729287. In Microdroid, su is allowed to be in permissive mode.
|
||||
// This is to support fully debuggable VMs on user builds. This is safe
|
||||
// because we don't start adbd at all on non-debuggable VMs.
|
||||
permissive_domains_on_user_builds: ["su"],
|
||||
}
|
||||
|
||||
genrule {
|
||||
|
|
|
|||
|
|
@ -4,10 +4,12 @@ init_daemon_domain(adbd)
|
|||
|
||||
domain_auto_trans(adbd, shell_exec, shell)
|
||||
|
||||
userdebug_or_eng(`
|
||||
allow adbd self:process setcurrent;
|
||||
allow adbd su:process dyntransition;
|
||||
')
|
||||
# Allow adbd to transition to su. In Android, this is disallowed in user builds.
|
||||
# However, Microdroid allows it even in user builds because apps should be able
|
||||
# to adb root into their "debuggable" VMs in user builds. Disabling adbd for
|
||||
# non debuggable VMs are done by not starting adbd at all using sysprops.
|
||||
allow adbd self:process setcurrent;
|
||||
allow adbd su:process dyntransition;
|
||||
|
||||
# Do not sanitize the environment or open fds of the shell. Allow signaling
|
||||
# created processes.
|
||||
|
|
@ -55,3 +57,6 @@ allow adbd kernel:security read_policy;
|
|||
# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
|
||||
# TODO(b/200902288): patch adb and remove this rule
|
||||
dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
|
||||
|
||||
# only adbd can transition to su.
|
||||
neverallow {domain -adbd} su:process { transition dyntransition };
|
||||
|
|
|
|||
|
|
@ -1,7 +1,4 @@
|
|||
userdebug_or_eng(`
|
||||
typeattribute su coredomain;
|
||||
typeattribute su coredomain;
|
||||
|
||||
# su is also permissive to permit setenforce.
|
||||
permissive su;
|
||||
|
||||
')
|
||||
# su is also permissive to permit setenforce.
|
||||
permissive su;
|
||||
|
|
|
|||
|
|
@ -2,40 +2,38 @@
|
|||
# after performing an adb root command.
|
||||
|
||||
# All types must be defined regardless of build variant to ensure
|
||||
# policy compilation succeeds with userdebug/user combination at boot
|
||||
# that adb root works on debuggable VMs even for user builds.
|
||||
type su, domain;
|
||||
|
||||
userdebug_or_eng(`
|
||||
# Add su to various domains
|
||||
net_domain(su)
|
||||
# Add su to various domains
|
||||
net_domain(su)
|
||||
|
||||
dontaudit su self:capability_class_set *;
|
||||
dontaudit su self:capability2 *;
|
||||
dontaudit su kernel:security *;
|
||||
dontaudit su { kernel file_type }:system *;
|
||||
dontaudit su self:memprotect *;
|
||||
dontaudit su domain:{ process process2 } *;
|
||||
dontaudit su domain:fd *;
|
||||
dontaudit su domain:dir *;
|
||||
dontaudit su domain:lnk_file *;
|
||||
dontaudit su domain:{ fifo_file file } *;
|
||||
dontaudit su domain:socket_class_set *;
|
||||
dontaudit su domain:ipc_class_set *;
|
||||
dontaudit su domain:key *;
|
||||
dontaudit su fs_type:filesystem *;
|
||||
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
|
||||
dontaudit su node_type:node *;
|
||||
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
|
||||
dontaudit su netif_type:netif *;
|
||||
dontaudit su port_type:socket_class_set *;
|
||||
dontaudit su port_type:{ tcp_socket dccp_socket } *;
|
||||
dontaudit su domain:peer *;
|
||||
dontaudit su domain:binder *;
|
||||
dontaudit su property_type:property_service *;
|
||||
dontaudit su property_type:file *;
|
||||
dontaudit su domain:drmservice *;
|
||||
dontaudit su unlabeled:filesystem *;
|
||||
dontaudit su domain:bpf *;
|
||||
dontaudit su unlabeled:vsock_socket *;
|
||||
dontaudit su self:perf_event *;
|
||||
')
|
||||
dontaudit su self:capability_class_set *;
|
||||
dontaudit su self:capability2 *;
|
||||
dontaudit su kernel:security *;
|
||||
dontaudit su { kernel file_type }:system *;
|
||||
dontaudit su self:memprotect *;
|
||||
dontaudit su domain:{ process process2 } *;
|
||||
dontaudit su domain:fd *;
|
||||
dontaudit su domain:dir *;
|
||||
dontaudit su domain:lnk_file *;
|
||||
dontaudit su domain:{ fifo_file file } *;
|
||||
dontaudit su domain:socket_class_set *;
|
||||
dontaudit su domain:ipc_class_set *;
|
||||
dontaudit su domain:key *;
|
||||
dontaudit su fs_type:filesystem *;
|
||||
dontaudit su {fs_type dev_type file_type}:dir_file_class_set *;
|
||||
dontaudit su node_type:node *;
|
||||
dontaudit su node_type:{ tcp_socket udp_socket rawip_socket } *;
|
||||
dontaudit su netif_type:netif *;
|
||||
dontaudit su port_type:socket_class_set *;
|
||||
dontaudit su port_type:{ tcp_socket dccp_socket } *;
|
||||
dontaudit su domain:peer *;
|
||||
dontaudit su domain:binder *;
|
||||
dontaudit su property_type:property_service *;
|
||||
dontaudit su property_type:file *;
|
||||
dontaudit su domain:drmservice *;
|
||||
dontaudit su unlabeled:filesystem *;
|
||||
dontaudit su domain:bpf *;
|
||||
dontaudit su unlabeled:vsock_socket *;
|
||||
dontaudit su self:perf_event *;
|
||||
|
|
|
|||
Loading…
Reference in a new issue