7bde36e94e
We don't use MLS in Microdroid, so we don't need MLS rules, nor mlstrusted[subject|object] labels. (We keep one MLS rule to satisfy checkpolicy.) A lot of attributes are unused in Microdroid, so we can remove their declarations and any references to them. (That may not make the compiled policy smaller, since hopefully they get optimised out anyway, but it means there is less policy for humans to deal with.) Remove labels that relate only to apps, which we don't have - MAC permissions, run-as, seapp_contexts. In passing, fix a comment snafu in both system & microdroid policy. Bug: 223596375 Test: Run staged-apex-compile & compos_verify, no denials Test: atest MicrodroidTests MicrodroidHostTestCases Change-Id: Ifd3589945a2d8b4c0361e00eec5678795513fd8c
57 lines
1.7 KiB
Text
57 lines
1.7 KiB
Text
typeattribute adbd coredomain;
|
|
|
|
init_daemon_domain(adbd)
|
|
|
|
domain_auto_trans(adbd, shell_exec, shell)
|
|
|
|
userdebug_or_eng(`
|
|
allow adbd self:process setcurrent;
|
|
allow adbd su:process dyntransition;
|
|
')
|
|
|
|
# Do not sanitize the environment or open fds of the shell. Allow signaling
|
|
# created processes.
|
|
allow adbd shell:process { noatsecure signal };
|
|
|
|
# Set UID and GID to shell. Set supplementary groups.
|
|
allow adbd self:global_capability_class_set { setuid setgid };
|
|
|
|
# Drop capabilities from bounding set on user builds.
|
|
allow adbd self:global_capability_class_set setpcap;
|
|
|
|
# adbd probes for vsock support. Do not generate denials when
|
|
# this occurs. (b/123569840)
|
|
dontaudit adbd self:{ socket vsock_socket } create;
|
|
|
|
# Allow adbd inside vm to forward vm's vsock.
|
|
allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
|
|
|
|
# Use a pseudo tty.
|
|
allow adbd devpts:chr_file rw_file_perms;
|
|
|
|
# adb push/pull /data/local/tmp.
|
|
allow adbd shell_data_file:dir create_dir_perms;
|
|
allow adbd shell_data_file:file create_file_perms;
|
|
|
|
allow adbd tmpfs:dir search;
|
|
|
|
allow adbd rootfs:dir r_dir_perms;
|
|
|
|
# Connect to shell and use a socket transferred from it.
|
|
# Used for e.g. abb.
|
|
allow adbd shell:unix_stream_socket { read write shutdown };
|
|
allow adbd shell:fd use;
|
|
|
|
set_prop(adbd, shell_prop)
|
|
|
|
# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
|
|
set_prop(adbd, adbd_prop)
|
|
|
|
# Allow pulling the SELinux policy for CTS purposes
|
|
allow adbd selinuxfs:dir r_dir_perms;
|
|
allow adbd selinuxfs:file r_file_perms;
|
|
allow adbd kernel:security read_policy;
|
|
|
|
# adbd tries to run mdnsd, but mdnsd doesn't exist. Just dontaudit ctl permissions.
|
|
# TODO(b/200902288): patch adb and remove this rule
|
|
dontaudit adbd { ctl_default_prop ctl_start_prop }:property_service set;
|