9ec532752d
Any FUSE filesystem will receive the 'fuse' type when mounted. It is possible to change this behaviour by specifying the "context=" or "fscontext=" option in mount(). Because 'fuse' has historically been used only for the emulated storage, it also received the 'sdcard_type' attribute. Replace the 'sdcard_type' attribute from 'fuse' with the new 'fusefs_type'. This attribute can be attached on derived types (such as app_fusefs). This change: - Remove the neverallow restriction on this new type. This means any custom FUSE implementation can be mounted/unmounted (if the correct allow rule is added). See domain.te. - Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'. See file.te. - Modify all references to 'sdcard_type' to explicitly include 'fuse' for compatibility reason. Bug: 177481425 Bug: 190804537 Test: Build and boot aosp_cf_x86_64_phone-userdebug Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
231 lines
7.6 KiB
Text
231 lines
7.6 KiB
Text
### ADB daemon
|
|
|
|
typeattribute adbd coredomain;
|
|
typeattribute adbd mlstrustedsubject;
|
|
|
|
init_daemon_domain(adbd)
|
|
|
|
domain_auto_trans(adbd, shell_exec, shell)
|
|
|
|
userdebug_or_eng(`
|
|
allow adbd self:process setcurrent;
|
|
allow adbd su:process dyntransition;
|
|
')
|
|
|
|
# When 'adb shell' is executed in recovery mode, adbd explicitly
|
|
# switches into shell domain using setcon() because the shell executable
|
|
# is not labeled as shell but as rootfs.
|
|
recovery_only(`
|
|
domain_trans(adbd, rootfs, shell)
|
|
allow adbd shell:process dyntransition;
|
|
|
|
# Allows reboot fastboot to enter fastboot directly
|
|
unix_socket_connect(adbd, recovery, recovery)
|
|
')
|
|
|
|
# Control Perfetto traced and obtain traces from it.
|
|
# Needed to allow port forwarding directly to traced.
|
|
unix_socket_connect(adbd, traced_consumer, traced)
|
|
|
|
# Do not sanitize the environment or open fds of the shell. Allow signaling
|
|
# created processes.
|
|
allow adbd shell:process { noatsecure signal };
|
|
|
|
# Set UID and GID to shell. Set supplementary groups.
|
|
allow adbd self:global_capability_class_set { setuid setgid };
|
|
|
|
# Drop capabilities from bounding set on user builds.
|
|
allow adbd self:global_capability_class_set setpcap;
|
|
|
|
# ignore spurious denials for adbd when disk space is low.
|
|
dontaudit adbd self:global_capability_class_set sys_resource;
|
|
|
|
# adbd probes for vsock support. Do not generate denials when
|
|
# this occurs. (b/123569840)
|
|
dontaudit adbd self:{ socket vsock_socket } create;
|
|
|
|
# Allow adbd inside vm to forward vm's vsock.
|
|
allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
|
|
|
|
# Create and use network sockets.
|
|
net_domain(adbd)
|
|
|
|
# Access /dev/usb-ffs/adb/ep0
|
|
allow adbd functionfs:dir search;
|
|
allow adbd functionfs:file rw_file_perms;
|
|
allowxperm adbd functionfs:file ioctl {
|
|
FUNCTIONFS_ENDPOINT_DESC
|
|
FUNCTIONFS_CLEAR_HALT
|
|
};
|
|
|
|
# Use a pseudo tty.
|
|
allow adbd devpts:chr_file rw_file_perms;
|
|
|
|
# adb push/pull /data/local/tmp.
|
|
allow adbd shell_data_file:dir create_dir_perms;
|
|
allow adbd shell_data_file:file create_file_perms;
|
|
|
|
# adb pull /data/local/traces/*
|
|
allow adbd trace_data_file:dir r_dir_perms;
|
|
allow adbd trace_data_file:file r_file_perms;
|
|
|
|
# adb pull /data/misc/profman.
|
|
allow adbd profman_dump_data_file:dir r_dir_perms;
|
|
allow adbd profman_dump_data_file:file r_file_perms;
|
|
|
|
# adb push/pull sdcard.
|
|
allow adbd tmpfs:dir search;
|
|
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
|
|
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
|
|
allow adbd { sdcard_type fuse }:dir create_dir_perms;
|
|
allow adbd { sdcard_type fuse }:file create_file_perms;
|
|
|
|
# adb pull /data/anr/traces.txt
|
|
allow adbd anr_data_file:dir r_dir_perms;
|
|
allow adbd anr_data_file:file r_file_perms;
|
|
|
|
# adb pull /vendor/framework/*
|
|
allow adbd vendor_framework_file:dir r_dir_perms;
|
|
allow adbd vendor_framework_file:file r_file_perms;
|
|
|
|
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
|
|
set_prop(adbd, shell_prop)
|
|
set_prop(adbd, powerctl_prop)
|
|
get_prop(adbd, ffs_config_prop)
|
|
set_prop(adbd, ffs_control_prop)
|
|
|
|
# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
|
|
set_prop(adbd, adbd_prop)
|
|
set_prop(adbd, adbd_config_prop)
|
|
|
|
# Allow adbd start/stop mdnsd via ctl.start
|
|
set_prop(adbd, ctl_mdnsd_prop)
|
|
|
|
# Access device logging gating property
|
|
get_prop(adbd, device_logging_prop)
|
|
|
|
# Read device's serial number from system properties
|
|
get_prop(adbd, serialno_prop)
|
|
|
|
# Read whether or not Test Harness Mode is enabled
|
|
get_prop(adbd, test_harness_prop)
|
|
|
|
# Read persist.adb.tls_server.enable property
|
|
get_prop(adbd, system_adbd_prop)
|
|
|
|
# Read device's overlayfs related properties and files
|
|
userdebug_or_eng(`
|
|
get_prop(adbd, persistent_properties_ready_prop)
|
|
r_dir_file(adbd, sysfs_dt_firmware_android)
|
|
')
|
|
|
|
# Run /system/bin/bu
|
|
allow adbd system_file:file rx_file_perms;
|
|
|
|
# Perform binder IPC to surfaceflinger (screencap)
|
|
# XXX Run screencap in a separate domain?
|
|
binder_use(adbd)
|
|
binder_call(adbd, surfaceflinger)
|
|
binder_call(adbd, gpuservice)
|
|
# b/13188914
|
|
allow adbd gpu_device:chr_file rw_file_perms;
|
|
allow adbd ion_device:chr_file rw_file_perms;
|
|
r_dir_file(adbd, system_file)
|
|
|
|
# Needed for various screenshots
|
|
hal_client_domain(adbd, hal_graphics_allocator)
|
|
|
|
# Read /data/misc/adb/adb_keys.
|
|
allow adbd adb_keys_file:dir search;
|
|
allow adbd adb_keys_file:file r_file_perms;
|
|
|
|
userdebug_or_eng(`
|
|
# Write debugging information to /data/adb
|
|
# when persist.adb.trace_mask is set
|
|
# https://code.google.com/p/android/issues/detail?id=72895
|
|
allow adbd adb_data_file:dir rw_dir_perms;
|
|
allow adbd adb_data_file:file create_file_perms;
|
|
')
|
|
|
|
# ndk-gdb invokes adb forward to forward the gdbserver socket.
|
|
allow adbd app_data_file:dir search;
|
|
allow adbd app_data_file:sock_file write;
|
|
allow adbd appdomain:unix_stream_socket connectto;
|
|
|
|
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
|
|
allow adbd zygote_exec:file r_file_perms;
|
|
allow adbd system_file:file r_file_perms;
|
|
|
|
# Allow pulling the SELinux policy for CTS purposes
|
|
allow adbd selinuxfs:dir r_dir_perms;
|
|
allow adbd selinuxfs:file r_file_perms;
|
|
allow adbd kernel:security read_policy;
|
|
allow adbd service_contexts_file:file r_file_perms;
|
|
allow adbd file_contexts_file:file r_file_perms;
|
|
allow adbd seapp_contexts_file:file r_file_perms;
|
|
allow adbd property_contexts_file:file r_file_perms;
|
|
allow adbd sepolicy_file:file r_file_perms;
|
|
|
|
# Allow pulling config.gz for CTS purposes
|
|
allow adbd config_gz:file r_file_perms;
|
|
|
|
allow adbd gpu_service:service_manager find;
|
|
allow adbd surfaceflinger_service:service_manager find;
|
|
allow adbd bootchart_data_file:dir search;
|
|
allow adbd bootchart_data_file:file r_file_perms;
|
|
|
|
# Allow access to external storage; we have several visible mount points under /storage
|
|
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
|
|
allow adbd storage_file:dir r_dir_perms;
|
|
allow adbd storage_file:lnk_file r_file_perms;
|
|
allow adbd mnt_user_file:dir r_dir_perms;
|
|
allow adbd mnt_user_file:lnk_file r_file_perms;
|
|
|
|
# Access to /data/media.
|
|
# This should be removed if sdcardfs is modified to alter the secontext for its
|
|
# accesses to the underlying FS.
|
|
allow adbd media_rw_data_file:dir create_dir_perms;
|
|
allow adbd media_rw_data_file:file create_file_perms;
|
|
|
|
r_dir_file(adbd, apk_data_file)
|
|
|
|
allow adbd rootfs:dir r_dir_perms;
|
|
|
|
# Allow killing child "perfetto" binary processes, which auto-transition to
|
|
# their own domain. Allows propagating termination of "adb shell perfetto ..."
|
|
# invocations.
|
|
allow adbd perfetto:process signal;
|
|
|
|
# Allow to pull Perfetto traces.
|
|
allow adbd perfetto_traces_data_file:file r_file_perms;
|
|
allow adbd perfetto_traces_data_file:dir r_dir_perms;
|
|
|
|
# Allow to push and manage configs in /data/misc/perfetto-configs.
|
|
allow adbd perfetto_configs_data_file:dir rw_dir_perms;
|
|
allow adbd perfetto_configs_data_file:file create_file_perms;
|
|
|
|
# Connect to shell and use a socket transferred from it.
|
|
# Used for e.g. abb.
|
|
allow adbd shell:unix_stream_socket { read write shutdown };
|
|
allow adbd shell:fd use;
|
|
|
|
# Allow pull /vendor/apex files for CTS tests
|
|
allow adbd vendor_apex_file:dir search;
|
|
allow adbd vendor_apex_file:file r_file_perms;
|
|
|
|
# Allow adb pull of updated apex files in /data/apex/active.
|
|
allow adbd apex_data_file:dir search;
|
|
allow adbd staging_data_file:file r_file_perms;
|
|
|
|
# Allow adbd to pull /apex/apex-info-list.xml for CTS tests.
|
|
allow adbd apex_info_file:file r_file_perms;
|
|
|
|
###
|
|
### Neverallow rules
|
|
###
|
|
|
|
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
|
|
# transitions to the shell domain (except when it crashes). In particular, we
|
|
# never want to see a transition from adbd to su (aka "adb root")
|
|
neverallow adbd { domain -crash_dump -shell }:process transition;
|
|
neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
|