| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | ### ADB daemon |
| 2 | |
| 3 | typeattribute adbd coredomain; |
| 4 | typeattribute adbd mlstrustedsubject; |
| 5 | |
| 6 | init_daemon_domain(adbd) |
| 7 | |
| 8 | domain_auto_trans(adbd, shell_exec, shell) |
| 9 | |
| 10 | userdebug_or_eng(` |
| 11 | allow adbd self:process setcurrent; |
| 12 | allow adbd su:process dyntransition; |
| 13 | ') |
| 14 | |
| 15 | # When 'adb shell' is executed in recovery mode, adbd explicitly |
| 16 | # switches into shell domain using setcon() because the shell executable |
| 17 | # is not labeled as shell but as rootfs. |
| 18 | recovery_only(` |
| 19 | domain_trans(adbd, rootfs, shell) |
| 20 | allow adbd shell:process dyntransition; |
| 21 | |
| 22 | # Allows reboot fastboot to enter fastboot directly |
| 23 | unix_socket_connect(adbd, recovery, recovery) |
| 24 | ') |
| 25 | |
| 26 | # Control Perfetto traced and obtain traces from it. |
| 27 | # Needed to allow port forwarding directly to traced. |
| 28 | unix_socket_connect(adbd, traced_consumer, traced) |
| 29 | |
| 30 | # Do not sanitize the environment or open fds of the shell. Allow signaling |
| 31 | # created processes. |
| 32 | allow adbd shell:process { noatsecure signal }; |
| 33 | |
| 34 | # Set UID and GID to shell. Set supplementary groups. |
| 35 | allow adbd self:global_capability_class_set { setuid setgid }; |
| 36 | |
| 37 | # Drop capabilities from bounding set on user builds. |
| 38 | allow adbd self:global_capability_class_set setpcap; |
| 39 | |
| 40 | # ignore spurious denials for adbd when disk space is low. |
| 41 | dontaudit adbd self:global_capability_class_set sys_resource; |
| 42 | |
| 43 | # adbd probes for vsock support. Do not generate denials when |
| 44 | # this occurs. (b/123569840) |
| 45 | dontaudit adbd self:{ socket vsock_socket } create; |
| 46 | |
| 47 | # Allow adbd inside vm to forward vm's vsock. |
| 48 | allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept }; |
| 49 | |
| 50 | # Create and use network sockets. |
| 51 | net_domain(adbd) |
| 52 | |
| 53 | # Access /dev/usb-ffs/adb/ep0 |
| 54 | allow adbd functionfs:dir search; |
| 55 | allow adbd functionfs:file rw_file_perms; |
| 56 | allowxperm adbd functionfs:file ioctl { |
| 57 | FUNCTIONFS_ENDPOINT_DESC |
| 58 | FUNCTIONFS_CLEAR_HALT |
| 59 | }; |
| 60 | |
| 61 | # Use a pseudo tty. |
| 62 | allow adbd devpts:chr_file rw_file_perms; |
| 63 | |
| 64 | # adb push/pull /data/local/tmp. |
| 65 | allow adbd shell_data_file:dir create_dir_perms; |
| 66 | allow adbd shell_data_file:file create_file_perms; |
| 67 | |
| 68 | # adb pull /data/local/traces/* |
| 69 | allow adbd trace_data_file:dir r_dir_perms; |
| 70 | allow adbd trace_data_file:file r_file_perms; |
| 71 | |
| 72 | # adb pull /data/misc/profman. |
| 73 | allow adbd profman_dump_data_file:dir r_dir_perms; |
| 74 | allow adbd profman_dump_data_file:file r_file_perms; |
| 75 | |
| 76 | # adb push/pull sdcard. |
| 77 | allow adbd tmpfs:dir search; |
| 78 | allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink |
| 79 | allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink |
| 80 | allow adbd sdcard_type:dir create_dir_perms; |
| 81 | allow adbd sdcard_type:file create_file_perms; |
| 82 | |
| 83 | # adb pull /data/anr/traces.txt |
| 84 | allow adbd anr_data_file:dir r_dir_perms; |
| 85 | allow adbd anr_data_file:file r_file_perms; |
| 86 | |
| 87 | # adb pull /vendor/framework/* |
| 88 | allow adbd vendor_framework_file:dir r_dir_perms; |
| 89 | allow adbd vendor_framework_file:file r_file_perms; |
| 90 | |
| 91 | # Set service.adb.*, sys.powerctl, and sys.usb.ffs.ready properties. |
| 92 | set_prop(adbd, shell_prop) |
| 93 | set_prop(adbd, powerctl_prop) |
| 94 | get_prop(adbd, ffs_config_prop) |
| 95 | set_prop(adbd, ffs_control_prop) |
| 96 | |
| 97 | # Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties |
| 98 | set_prop(adbd, adbd_prop) |
| 99 | set_prop(adbd, adbd_config_prop) |
| 100 | |
| 101 | # Allow adbd start/stop mdnsd via ctl.start |
| 102 | set_prop(adbd, ctl_mdnsd_prop) |
| 103 | |
| 104 | # Access device logging gating property |
| 105 | get_prop(adbd, device_logging_prop) |
| 106 | |
| 107 | # Read device's serial number from system properties |
| 108 | get_prop(adbd, serialno_prop) |
| 109 | |
| 110 | # Read whether or not Test Harness Mode is enabled |
| 111 | get_prop(adbd, test_harness_prop) |
| 112 | |
| 113 | # Read persist.adb.tls_server.enable property |
| 114 | get_prop(adbd, system_adbd_prop) |
| 115 | |
| 116 | # Read device's overlayfs related properties and files |
| 117 | userdebug_or_eng(` |
| 118 | get_prop(adbd, persistent_properties_ready_prop) |
| 119 | r_dir_file(adbd, sysfs_dt_firmware_android) |
| 120 | ') |
| 121 | |
| 122 | # Run /system/bin/bu |
| 123 | allow adbd system_file:file rx_file_perms; |
| 124 | |
| 125 | # Perform binder IPC to surfaceflinger (screencap) |
| 126 | # XXX Run screencap in a separate domain? |
| 127 | binder_use(adbd) |
| 128 | binder_call(adbd, surfaceflinger) |
| 129 | binder_call(adbd, gpuservice) |
| 130 | # b/13188914 |
| 131 | allow adbd gpu_device:chr_file rw_file_perms; |
| 132 | allow adbd ion_device:chr_file rw_file_perms; |
| 133 | r_dir_file(adbd, system_file) |
| 134 | |
| 135 | # Needed for various screenshots |
| 136 | hal_client_domain(adbd, hal_graphics_allocator) |
| 137 | |
| 138 | # Read /data/misc/adb/adb_keys. |
| 139 | allow adbd adb_keys_file:dir search; |
| 140 | allow adbd adb_keys_file:file r_file_perms; |
| 141 | |
| 142 | userdebug_or_eng(` |
| 143 | # Write debugging information to /data/adb |
| 144 | # when persist.adb.trace_mask is set |
| 145 | # https://code.google.com/p/android/issues/detail?id=72895 |
| 146 | allow adbd adb_data_file:dir rw_dir_perms; |
| 147 | allow adbd adb_data_file:file create_file_perms; |
| 148 | ') |
| 149 | |
| 150 | # ndk-gdb invokes adb forward to forward the gdbserver socket. |
| 151 | allow adbd app_data_file:dir search; |
| 152 | allow adbd app_data_file:sock_file write; |
| 153 | allow adbd appdomain:unix_stream_socket connectto; |
| 154 | |
| 155 | # ndk-gdb invokes adb pull of app_process, linker, and libc.so. |
| 156 | allow adbd zygote_exec:file r_file_perms; |
| 157 | allow adbd system_file:file r_file_perms; |
| 158 | |
| 159 | # Allow pulling the SELinux policy for CTS purposes |
| 160 | allow adbd selinuxfs:dir r_dir_perms; |
| 161 | allow adbd selinuxfs:file r_file_perms; |
| 162 | allow adbd kernel:security read_policy; |
| 163 | allow adbd service_contexts_file:file r_file_perms; |
| 164 | allow adbd file_contexts_file:file r_file_perms; |
| 165 | allow adbd seapp_contexts_file:file r_file_perms; |
| 166 | allow adbd property_contexts_file:file r_file_perms; |
| 167 | allow adbd sepolicy_file:file r_file_perms; |
| 168 | |
| 169 | # Allow pulling config.gz for CTS purposes |
| 170 | allow adbd config_gz:file r_file_perms; |
| 171 | |
| 172 | allow adbd gpu_service:service_manager find; |
| 173 | allow adbd surfaceflinger_service:service_manager find; |
| 174 | allow adbd bootchart_data_file:dir search; |
| 175 | allow adbd bootchart_data_file:file r_file_perms; |
| 176 | |
| 177 | # Allow access to external storage; we have several visible mount points under /storage |
| 178 | # and symlinks to primary storage at places like /storage/sdcard0 and /mnt/user/0/primary |
| 179 | allow adbd storage_file:dir r_dir_perms; |
| 180 | allow adbd storage_file:lnk_file r_file_perms; |
| 181 | allow adbd mnt_user_file:dir r_dir_perms; |
| 182 | allow adbd mnt_user_file:lnk_file r_file_perms; |
| 183 | |
| 184 | # Access to /data/media. |
| 185 | # This should be removed if sdcardfs is modified to alter the secontext for its |
| 186 | # accesses to the underlying FS. |
| 187 | allow adbd media_rw_data_file:dir create_dir_perms; |
| 188 | allow adbd media_rw_data_file:file create_file_perms; |
| 189 | |
| 190 | r_dir_file(adbd, apk_data_file) |
| 191 | |
| 192 | allow adbd rootfs:dir r_dir_perms; |
| 193 | |
| 194 | # Allow killing child "perfetto" binary processes, which auto-transition to |
| 195 | # their own domain. Allows propagating termination of "adb shell perfetto ..." |
| 196 | # invocations. |
| 197 | allow adbd perfetto:process signal; |
| 198 | |
| 199 | # Allow to pull Perfetto traces. |
| 200 | allow adbd perfetto_traces_data_file:file r_file_perms; |
| 201 | allow adbd perfetto_traces_data_file:dir r_dir_perms; |
| 202 | |
| 203 | # Allow to push and manage configs in /data/misc/perfetto-configs. |
| 204 | allow adbd perfetto_configs_data_file:dir rw_dir_perms; |
| 205 | allow adbd perfetto_configs_data_file:file create_file_perms; |
| 206 | |
| 207 | # Connect to shell and use a socket transferred from it. |
| 208 | # Used for e.g. abb. |
| 209 | allow adbd shell:unix_stream_socket { read write shutdown }; |
| 210 | allow adbd shell:fd use; |
| 211 | |
| 212 | # Allow pull /vendor/apex files for CTS tests |
| 213 | allow adbd vendor_apex_file:dir search; |
| 214 | allow adbd vendor_apex_file:file r_file_perms; |
| 215 | |
| 216 | # Allow adb pull of updated apex files in /data/apex/active. |
| 217 | allow adbd apex_data_file:dir search; |
| 218 | allow adbd staging_data_file:file r_file_perms; |
| 219 | |
| 220 | ### |
| 221 | ### Neverallow rules |
| 222 | ### |
| 223 | |
| 224 | # No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever |
| 225 | # transitions to the shell domain (except when it crashes). In particular, we |
| 226 | # never want to see a transition from adbd to su (aka "adb root") |
| 227 | neverallow adbd { domain -crash_dump -shell }:process transition; |
| 228 | neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition; |