microdroid/sepolicy/system/private/adbd.te

typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;

init_daemon_domain(adbd)

domain_auto_trans(adbd, shell_exec, shell)

userdebug_or_eng(`
  allow adbd self:process setcurrent;
  allow adbd su:process dyntransition;
')

# Do not sanitize the environment or open fds of the shell. Allow signaling
# created processes.
allow adbd shell:process { noatsecure signal };

# Set UID and GID to shell.  Set supplementary groups.
allow adbd self:global_capability_class_set { setuid setgid };

# Drop capabilities from bounding set on user builds.
allow adbd self:global_capability_class_set setpcap;

# adbd probes for vsock support. Do not generate denials when
# this occurs. (b/123569840)
dontaudit adbd self:{ socket vsock_socket } create;

# Allow adbd inside vm to forward vm's vsock.
allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };

# Use a pseudo tty.
allow adbd devpts:chr_file rw_file_perms;

# adb push/pull /data/local/tmp.
allow adbd shell_data_file:dir create_dir_perms;
allow adbd shell_data_file:file create_file_perms;

allow adbd tmpfs:dir search;

allow adbd rootfs:dir r_dir_perms;

# Connect to shell and use a socket transferred from it.
# Used for e.g. abb.
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;