e1389977e0
Bug: 190511750 Test: boot microdroid Change-Id: I4aa4a56e9be5103d70469c3508110a973f3e4f12
44 lines
1.3 KiB
Text
44 lines
1.3 KiB
Text
typeattribute adbd coredomain;
|
|
typeattribute adbd mlstrustedsubject;
|
|
|
|
init_daemon_domain(adbd)
|
|
|
|
domain_auto_trans(adbd, shell_exec, shell)
|
|
|
|
userdebug_or_eng(`
|
|
allow adbd self:process setcurrent;
|
|
allow adbd su:process dyntransition;
|
|
')
|
|
|
|
# Do not sanitize the environment or open fds of the shell. Allow signaling
|
|
# created processes.
|
|
allow adbd shell:process { noatsecure signal };
|
|
|
|
# Set UID and GID to shell. Set supplementary groups.
|
|
allow adbd self:global_capability_class_set { setuid setgid };
|
|
|
|
# Drop capabilities from bounding set on user builds.
|
|
allow adbd self:global_capability_class_set setpcap;
|
|
|
|
# adbd probes for vsock support. Do not generate denials when
|
|
# this occurs. (b/123569840)
|
|
dontaudit adbd self:{ socket vsock_socket } create;
|
|
|
|
# Allow adbd inside vm to forward vm's vsock.
|
|
allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
|
|
|
|
# Use a pseudo tty.
|
|
allow adbd devpts:chr_file rw_file_perms;
|
|
|
|
# adb push/pull /data/local/tmp.
|
|
allow adbd shell_data_file:dir create_dir_perms;
|
|
allow adbd shell_data_file:file create_file_perms;
|
|
|
|
allow adbd tmpfs:dir search;
|
|
|
|
allow adbd rootfs:dir r_dir_perms;
|
|
|
|
# Connect to shell and use a socket transferred from it.
|
|
# Used for e.g. abb.
|
|
allow adbd shell:unix_stream_socket { read write shutdown };
|
|
allow adbd shell:fd use;
|