8ca19368da
The extra permissions are not needed. Delete them. This change also adds read permission for /data/misc/zoneinfo back to all domains. libc refernces this directory for timezone related files, and it feels dangerous and of little value to try to restrict access. In particular, this causes problems when the shell user attempts to run "ls -la" to show file time stamps in the correct timezone. Bug: 25433265 Change-Id: I666bb460e440515151e3bf46fe2e0ac0e7c99f46
96 lines
3 KiB
Text
96 lines
3 KiB
Text
# adbd seclabel is specified in init.rc since
|
|
# it lives in the rootfs and has no unique file type.
|
|
type adbd, domain, mlstrustedsubject;
|
|
|
|
userdebug_or_eng(`
|
|
allow adbd self:process setcurrent;
|
|
allow adbd su:process dyntransition;
|
|
')
|
|
|
|
domain_auto_trans(adbd, shell_exec, shell)
|
|
|
|
# Do not sanitize the environment or open fds of the shell. Allow signaling
|
|
# created processes.
|
|
allow adbd shell:process { noatsecure signal };
|
|
|
|
# Set UID and GID to shell. Set supplementary groups.
|
|
allow adbd self:capability { setuid setgid };
|
|
|
|
# Drop capabilities from bounding set on user builds.
|
|
allow adbd self:capability setpcap;
|
|
|
|
# Create and use network sockets.
|
|
net_domain(adbd)
|
|
|
|
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
|
|
allow adbd adb_device:chr_file rw_file_perms;
|
|
allow adbd functionfs:dir search;
|
|
allow adbd functionfs:file rw_file_perms;
|
|
|
|
# Use a pseudo tty.
|
|
allow adbd devpts:chr_file rw_file_perms;
|
|
|
|
# adb push/pull /data/local/tmp.
|
|
allow adbd shell_data_file:dir create_dir_perms;
|
|
allow adbd shell_data_file:file create_file_perms;
|
|
|
|
# adb push/pull sdcard.
|
|
allow adbd sdcard_type:dir create_dir_perms;
|
|
allow adbd sdcard_type:file create_file_perms;
|
|
|
|
# adb pull /data/anr/traces.txt
|
|
allow adbd anr_data_file:dir r_dir_perms;
|
|
allow adbd anr_data_file:file r_file_perms;
|
|
|
|
# Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties.
|
|
set_prop(adbd, shell_prop)
|
|
set_prop(adbd, powerctl_prop)
|
|
set_prop(adbd, ffs_prop)
|
|
|
|
# Run /system/bin/bu
|
|
allow adbd system_file:file rx_file_perms;
|
|
|
|
# XXX Run toolbox. Might not be needed.
|
|
allow adbd toolbox_exec:file rx_file_perms;
|
|
auditallow adbd toolbox_exec:file rx_file_perms;
|
|
|
|
# Perform binder IPC to surfaceflinger (screencap)
|
|
# XXX Run screencap in a separate domain?
|
|
binder_use(adbd)
|
|
binder_call(adbd, surfaceflinger)
|
|
# b/13188914
|
|
allow adbd gpu_device:chr_file rw_file_perms;
|
|
|
|
# Read /data/misc/adb/adb_keys.
|
|
allow adbd adb_keys_file:dir search;
|
|
allow adbd adb_keys_file:file r_file_perms;
|
|
|
|
userdebug_or_eng(`
|
|
# Write debugging information to /data/adb
|
|
# when persist.adb.trace_mask is set
|
|
# https://code.google.com/p/android/issues/detail?id=72895
|
|
allow adbd adb_data_file:dir rw_dir_perms;
|
|
allow adbd adb_data_file:file create_file_perms;
|
|
')
|
|
|
|
# ndk-gdb invokes adb forward to forward the gdbserver socket.
|
|
allow adbd app_data_file:dir search;
|
|
allow adbd app_data_file:sock_file write;
|
|
allow adbd appdomain:unix_stream_socket connectto;
|
|
|
|
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
|
|
allow adbd zygote_exec:file r_file_perms;
|
|
allow adbd system_file:file r_file_perms;
|
|
|
|
allow adbd kernel:security read_policy;
|
|
|
|
allow adbd surfaceflinger_service:service_manager find;
|
|
allow adbd bootchart_data_file:dir search;
|
|
allow adbd bootchart_data_file:file r_file_perms;
|
|
|
|
# Allow access to external storage; we have several visible mount points under /storage
|
|
# and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary
|
|
allow adbd storage_file:dir r_dir_perms;
|
|
allow adbd storage_file:lnk_file r_file_perms;
|
|
allow adbd mnt_user_file:dir r_dir_perms;
|
|
allow adbd mnt_user_file:lnk_file r_file_perms;
|