Reduce the number of processes that can start adbd

This change makes it such that only init can start adbd directly. It
also introduces new rules for ctl.{start,stop,restart} properties such
that only usbd and recovery (and su, since it's permissive) can directly
ask init to start adbd.

Bug: 64720460
Test: adbd still runs
Test: /data/nativetest64/adbd_test/adbd_test
Test: python system/core/adb/test_adb.py
Test: "USB debugging" in System Settings still start/stop adbd
Test: Recovery menu still make the device show as "recovery" in adb
      devices
Test: "Apply update from ADB" in recovery menu still works
Change-Id: Iafcda8aa44e85129afcc958036b472d856fa1192

private/compat/26.0/26.0.cil

@@ -121,7 +121,7 @@
 (typeattributeset ctl_bootanim_prop_26_0 (ctl_bootanim_prop))
 (typeattributeset ctl_bugreport_prop_26_0 (ctl_bugreport_prop))
 (typeattributeset ctl_console_prop_26_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
+(typeattributeset ctl_default_prop_26_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
 (typeattributeset ctl_dumpstate_prop_26_0 (ctl_dumpstate_prop))
 (typeattributeset ctl_fuse_prop_26_0 (ctl_fuse_prop))
 (typeattributeset ctl_mdnsd_prop_26_0 (ctl_mdnsd_prop))

private/compat/27.0/27.0.cil

@@ -826,7 +826,7 @@
 (typeattributeset ctl_bootanim_prop_27_0 (ctl_bootanim_prop))
 (typeattributeset ctl_bugreport_prop_27_0 (ctl_bugreport_prop))
 (typeattributeset ctl_console_prop_27_0 (ctl_console_prop))
-(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop))
+(typeattributeset ctl_default_prop_27_0 (ctl_default_prop ctl_restart_prop ctl_start_prop ctl_stop_prop ctl_adbd_prop))
 (typeattributeset ctl_dumpstate_prop_27_0 (ctl_dumpstate_prop))
 (typeattributeset ctl_fuse_prop_27_0 (ctl_fuse_prop))
 (typeattributeset ctl_mdnsd_prop_27_0 (ctl_mdnsd_prop))

private/property_contexts

@@ -115,6 +115,11 @@ ctl.interface_start$    u:object_r:ctl_interface_start_prop:s0
 ctl.interface_stop$     u:object_r:ctl_interface_stop_prop:s0
 ctl.interface_restart$  u:object_r:ctl_interface_restart_prop:s0
 
+ # Restrict access to starting/stopping adbd
+ctl.start$adbd             u:object_r:ctl_adbd_prop:s0
+ctl.stop$adbd              u:object_r:ctl_adbd_prop:s0
+ctl.restart$adbd           u:object_r:ctl_adbd_prop:s0
+
 # NFC properties
 nfc.                    u:object_r:nfc_prop:s0
 

public/adbd.te

@@ -2,3 +2,7 @@
 # it lives in the rootfs and has no unique file type.
 type adbd, domain;
 type adbd_exec, exec_type, file_type;
+
+# Only init is allowed to enter the adbd domain via exec()
+neverallow { domain -init } adbd:process transition;
+neverallow * adbd:process dyntransition;

public/property.te

@@ -5,6 +5,7 @@ type bluetooth_prop, property_type;
 type bootloader_boot_reason_prop, property_type;
 type config_prop, property_type, core_property_type;
 type cppreopt_prop, property_type, core_property_type;
+type ctl_adbd_prop, property_type;
 type ctl_bootanim_prop, property_type;
 type ctl_bugreport_prop, property_type;
 type ctl_console_prop, property_type;
@@ -327,6 +328,7 @@ compatible_property_only(`
     -boottime_prop
     -config_prop
     -cppreopt_prop
+    -ctl_adbd_prop
     -ctl_bootanim_prop
     -ctl_bugreport_prop
     -ctl_console_prop

public/recovery.te

@@ -109,7 +109,7 @@ recovery_only(`
   set_prop(recovery, powerctl_prop)
 
   # Start/stop adbd via ctl.start adbd
-  set_prop(recovery, ctl_default_prop)
+  set_prop(recovery, ctl_adbd_prop)
 
   # Read serial number of the device from system properties
   get_prop(recovery, serialno_prop)

public/usbd.te

@@ -1,3 +1,5 @@
 type usbd, domain;
 type usbd_exec, exec_type, file_type;
 
+# Start/stop adbd via ctl.start adbd
+set_prop(usbd, ctl_adbd_prop)