tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/adbd.te
Rubin Xu 0c8286fe74 SELinux rule for ro.device_owner and persist.logd.security 
They are introduced for the device owner process logging feature.
That is, for enterprise-owned devices with device owner app provisioned,
the device owner may choose to turn on additional device-wide logging for
auditing and intrusion detection purposes. Logging includes histories of
app process startup, commands issued over ADB and lockscreen unlocking
attempts. These logs will available to the device owner for analysis,
potentially shipped to a remote server if it chooses to.

ro.device_owner will be a master switch to turn off logging, if the device
has no device owner provisioned. persist.logd.security is a switch that
device owner can toggle (via DevicePoliyManager) to enable/disable logging.
Writing to both properties should be only allowed by the system server.

Bug: 22860162
Change-Id: Iabfe2347b094914813b9d6e0c808877c25ccd038
2016-01-19 15:27:03 +00:00

102 lines
3.2 KiB
Text
Raw Blame History

# adbd seclabel is specified in init.rc since
# it lives in the rootfs and has no unique file type.
type adbd, domain, mlstrustedsubject;
userdebug_or_eng(`
allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
')
domain_auto_trans(adbd, shell_exec, shell)
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
# Set UID and GID to shell. Set supplementary groups.
allow adbd self:capability { setuid setgid };
# Drop capabilities from bounding set on user builds.
allow adbd self:capability setpcap;
# Create and use network sockets.
net_domain(adbd)
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
allow adbd adb_device:chr_file rw_file_perms;
allow adbd functionfs:dir search;
allow adbd functionfs:file rw_file_perms;
# Use a pseudo tty.
allow adbd devpts:chr_file rw_file_perms;
# adb push/pull /data/local/tmp.
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
# adb push/pull sdcard.
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file r_file_perms;
allow adbd sdcard_type:dir create_dir_perms;
allow adbd sdcard_type:file create_file_perms;
# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
set_prop(adbd, ffs_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
allow adbd adb_keys_file:file r_file_perms;
userdebug_or_eng(`
# Write debugging information to /data/adb
# when persist.adb.trace_mask is set
# https://code.google.com/p/android/issues/detail?id=72895
allow adbd adb_data_file:dir rw_dir_perms;
allow adbd adb_data_file:file create_file_perms;
')
# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
# Allow pulling the SELinux policy for CTS purposes
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow adbd storage_file:dir r_dir_perms;
allow adbd storage_file:lnk_file r_file_perms;
allow adbd mnt_user_file:dir r_dir_perms;
allow adbd mnt_user_file:lnk_file r_file_perms;
Reference in a new issue View git blame Copy permalink