platform_system_sepolicy/private/adbd.te
Hector Dearman b56a49d979 Allow adb forward to traced consumer socket
Currently shell can connect to the traced_consumer_socket allowing it to
configure/start/stop and collect traces. This allows a host tool (e.g. Android Studio or
https://ui.perfetto.dev) to connect to the device via adb and collect traces. It would
be better if rather than executing shell commands the host tool could directly communicate
with the consumer socket. This is possible using adb forward:

adb forward tcp:9903 localfilesystem:/dev/socket/traced_consumer

However in this case adbd is connecting to the socket - not shell.

This CL allows adbd to connect to the socket which allows host tools to collect
traces without having to do everything though shell commands.

Denial:
08-30 11:28:05.809 10254 10254 W adbd    : type=1400 audit(0.0:1129): avc: denied { write } for name="traced_consumer" dev="tmpfs" ino=6719 scontext=u:r:adbd:s0 tcontext=u:object_r:traced_consumer_socket:s0 tclass=sock_file permissive=0

Test: Cherry pick CL to master, make, flash
adb logcat | grep denied
adb forward tcp:9903 localfilesystem:/dev/socket/traced_consumer

Bug: b/139536756
Change-Id: Ie08e687c0b06d0e1121009e8cd70319a8f907ae2
2019-09-05 10:12:47 +00:00

194 lines
6.3 KiB
Text

### ADB daemon
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
init_daemon_domain(adbd)
domain_auto_trans(adbd, shell_exec, shell)
userdebug_or_eng(`
allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
')
# When 'adb shell' is executed in recovery mode, adbd explicitly
# switches into shell domain using setcon() because the shell executable
# is not labeled as shell but as rootfs.
recovery_only(`
domain_trans(adbd, rootfs, shell)
allow adbd shell:process dyntransition;
# Allows reboot fastboot to enter fastboot directly
unix_socket_connect(adbd, recovery, recovery)
')
# Control Perfetto traced and obtain traces from it.
# Needed to allow port forwarding directly to traced.
unix_socket_connect(adbd, traced_consumer, traced)
# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };
# Set UID and GID to shell. Set supplementary groups.
allow adbd self:global_capability_class_set { setuid setgid };
# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;
# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:global_capability_class_set sys_resource;
# adbd probes for vsock support. Do not generate denials when
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;
# Create and use network sockets.
net_domain(adbd)
# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
allow adbd functionfs:file rw_file_perms;
allowxperm adbd functionfs:file ioctl {
FUNCTIONFS_ENDPOINT_DESC
FUNCTIONFS_CLEAR_HALT
};
# Use a pseudo tty.
allow adbd devpts:chr_file rw_file_perms;
# adb push/pull /data/local/tmp.
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;
# adb pull /data/local/traces/*
allow adbd trace_data_file:dir r_dir_perms;
allow adbd trace_data_file:file r_file_perms;
# adb pull /data/misc/profman.
allow adbd profman_dump_data_file:dir r_dir_perms;
allow adbd profman_dump_data_file:file r_file_perms;
# adb push/pull sdcard.
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
allow adbd sdcard_type:dir create_dir_perms;
allow adbd sdcard_type:file create_file_perms;
# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir r_dir_perms;
allow adbd anr_data_file:file r_file_perms;
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
set_prop(adbd, shell_prop)
set_prop(adbd, powerctl_prop)
set_prop(adbd, ffs_prop)
set_prop(adbd, exported_ffs_prop)
# Access device logging gating property
get_prop(adbd, device_logging_prop)
# Read device's serial number from system properties
get_prop(adbd, serialno_prop)
# Read whether or not Test Harness Mode is enabled
get_prop(adbd, test_harness_prop)
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
r_dir_file(adbd, sysfs_dt_firmware_android)
')
# Run /system/bin/bu
allow adbd system_file:file rx_file_perms;
# Perform binder IPC to surfaceflinger (screencap)
# XXX Run screencap in a separate domain?
binder_use(adbd)
binder_call(adbd, surfaceflinger)
binder_call(adbd, gpuservice)
# b/13188914
allow adbd gpu_device:chr_file rw_file_perms;
allow adbd ion_device:chr_file rw_file_perms;
r_dir_file(adbd, system_file)
# Needed for various screenshots
hal_client_domain(adbd, hal_graphics_allocator)
# Read /data/misc/adb/adb_keys.
allow adbd adb_keys_file:dir search;
allow adbd adb_keys_file:file r_file_perms;
userdebug_or_eng(`
# Write debugging information to /data/adb
# when persist.adb.trace_mask is set
# https://code.google.com/p/android/issues/detail?id=72895
allow adbd adb_data_file:dir rw_dir_perms;
allow adbd adb_data_file:file create_file_perms;
')
# ndk-gdb invokes adb forward to forward the gdbserver socket.
allow adbd app_data_file:dir search;
allow adbd app_data_file:sock_file write;
allow adbd appdomain:unix_stream_socket connectto;
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
allow adbd zygote_exec:file r_file_perms;
allow adbd system_file:file r_file_perms;
# Allow pulling the SELinux policy for CTS purposes
allow adbd selinuxfs:dir r_dir_perms;
allow adbd selinuxfs:file r_file_perms;
allow adbd kernel:security read_policy;
allow adbd service_contexts_file:file r_file_perms;
allow adbd file_contexts_file:file r_file_perms;
allow adbd seapp_contexts_file:file r_file_perms;
allow adbd property_contexts_file:file r_file_perms;
allow adbd sepolicy_file:file r_file_perms;
# Allow pulling config.gz for CTS purposes
allow adbd config_gz:file r_file_perms;
allow adbd gpu_service:service_manager find;
allow adbd surfaceflinger_service:service_manager find;
allow adbd bootchart_data_file:dir search;
allow adbd bootchart_data_file:file r_file_perms;
# Allow access to external storage; we have several visible mount points under /storage
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
allow adbd storage_file:dir r_dir_perms;
allow adbd storage_file:lnk_file r_file_perms;
allow adbd mnt_user_file:dir r_dir_perms;
allow adbd mnt_user_file:lnk_file r_file_perms;
# Access to /data/media.
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow adbd media_rw_data_file:dir create_dir_perms;
allow adbd media_rw_data_file:file create_file_perms;
r_dir_file(adbd, apk_data_file)
allow adbd rootfs:dir r_dir_perms;
# Allow to pull Perfetto traces.
allow adbd perfetto_traces_data_file:file r_file_perms;
allow adbd perfetto_traces_data_file:dir r_dir_perms;
# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write };
allow adbd shell:fd use;
###
### Neverallow rules
###
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
# transitions to the shell domain (except when it crashes). In particular, we
# never want to see a transition from adbd to su (aka "adb root")
neverallow adbd { domain -crash_dump -shell }:process transition;
neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;