Add an adb_tradeinmode type for restricted adbd.
This adds sepolicy for a super restricted adbd mode. Currently, this
mode has just enough permissions to handle adb connection.
It also adds a new property, persist.adb.tradeinmode, which can be used
to enter this restricted version of adbd.
Test: manual test
Bug: 307713521
Change-Id: I99963f27ebab615332cb971701d1c06ea01332a1
diff --git a/private/adbd.te b/private/adbd.te
index a298f08..b87b319 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -2,13 +2,17 @@
typeattribute adbd coredomain;
typeattribute adbd mlstrustedsubject;
+typeattribute adbd adbd_common;
init_daemon_domain(adbd)
domain_auto_trans(adbd, shell_exec, shell)
+# Allow adb to setcon() to tradeinmode.
+allow adbd self:process setcurrent;
+allow adbd adbd_tradeinmode:process dyntransition;
+
userdebug_or_eng(`
- allow adbd self:process setcurrent;
allow adbd su:process dyntransition;
')
@@ -78,6 +82,7 @@
set_prop(adbd, powerctl_prop)
get_prop(adbd, ffs_config_prop)
set_prop(adbd, ffs_control_prop)
+set_prop(adbd, adbd_tradeinmode_prop)
# Allow adbd start/stop mdnsd via ctl.start
set_prop(adbd, ctl_mdnsd_prop)
@@ -182,6 +187,10 @@
allow adbd shell:unix_stream_socket { read write shutdown };
allow adbd shell:fd use;
+# adb push/pull /data/local/tmp.
+allow adbd shell_data_file:dir create_dir_perms;
+allow adbd shell_data_file:file create_file_perms;
+
# Allow pull /vendor/apex files for CTS tests
r_dir_file(adbd, vendor_apex_file)
@@ -206,10 +215,15 @@
###
# No transitions from adbd to non-shell, non-crash_dump domains. adbd only ever
-# transitions to the shell domain (except when it crashes). In particular, we
-# never want to see a transition from adbd to su (aka "adb root")
-neverallow adbd { domain -crash_dump -shell }:process transition;
-neverallow adbd { domain userdebug_or_eng(`-su') recovery_only(`-shell') }:process dyntransition;
+# transitions to the shell or tradeinmode domain (except when it crashes). In
+# particular, we never want to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -crash_dump -shell -adbd_tradeinmode }:process transition;
+neverallow adbd {
+ domain
+ userdebug_or_eng(`-su')
+ recovery_only(`-shell')
+ -adbd_tradeinmode
+}:process dyntransition;
# Only init is allowed to enter the adbd domain via exec()
neverallow { domain -init } adbd:process transition;
diff --git a/private/adbd_common.te b/private/adbd_common.te
index 6cf8e49..c24b029 100644
--- a/private/adbd_common.te
+++ b/private/adbd_common.te
@@ -2,34 +2,30 @@
### Put things here that are needed for both adbd proper and adbd in trade-in mode.
# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(adbd, mdnsd, mdnsd)
+unix_socket_connect(adbd_common, mdnsd, mdnsd)
# adbd probes for vsock support. Do not generate denials when
# this occurs. (b/123569840)
-dontaudit { adbd } self:{ socket vsock_socket } create;
+dontaudit adbd_common self:{ socket vsock_socket } create;
# Allow adbd inside vm to forward vm's vsock.
-allow { adbd } self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+allow adbd_common self:vsock_socket { create_socket_perms_no_ioctl listen accept };
# Access device logging gating property
-get_prop(adbd, device_logging_prop)
+get_prop(adbd_common, device_logging_prop)
# Use a pseudo tty.
-allow { adbd } devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow { adbd } shell_data_file:dir create_dir_perms;
-allow { adbd } shell_data_file:file create_file_perms;
+allow adbd_common devpts:chr_file rw_file_perms;
# Read persist.adb.tls_server.enable property
-get_prop(adbd, system_adbd_prop)
+get_prop(adbd_common, system_adbd_prop)
# Read whether or not Test Harness Mode is enabled
-get_prop(adbd, test_harness_prop)
+get_prop(adbd_common, test_harness_prop)
# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
-set_prop(adbd, adbd_prop)
-set_prop(adbd, adbd_config_prop)
+set_prop(adbd_common, adbd_prop)
+set_prop(adbd_common, adbd_config_prop)
# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
+get_prop(adbd_common, serialno_prop)
diff --git a/private/adbd_tradeinmode.te b/private/adbd_tradeinmode.te
new file mode 100644
index 0000000..2eae26a
--- /dev/null
+++ b/private/adbd_tradeinmode.te
@@ -0,0 +1,23 @@
+### ADB in trade-in mode
+type adbd_tradeinmode, domain, coredomain, adbd_common;
+
+# Create and use network sockets.
+net_domain(adbd_tradeinmode)
+
+# Baseline rules to make adbd work after setcon().
+allow adbd_tradeinmode adbd:unix_stream_socket {
+ rw_socket_perms_no_ioctl
+ listen
+ accept
+};
+allow adbd_tradeinmode adbd:fd use;
+allow adbd_tradeinmode adbd:unix_dgram_socket { connect write };
+allow adbd_tradeinmode functionfs:dir r_dir_perms;
+allow adbd_tradeinmode functionfs:file rw_file_perms;
+allow adbd_tradeinmode proc_uptime:file r_file_perms;
+allow adbd_tradeinmode rootfs:dir r_dir_perms;
+
+set_prop(adbd_tradeinmode, ffs_control_prop)
+
+# Allow changing persist.adb.tradeinmode when testing.
+userdebug_or_eng(`set_prop(adbd_tradeinmode, shell_prop)')
diff --git a/private/attributes b/private/attributes
index fe50b0d..2d6181d 100644
--- a/private/attributes
+++ b/private/attributes
@@ -15,3 +15,5 @@
attribute sdk_sandbox_all;
# The SDK sandbox domains for the current SDK level.
attribute sdk_sandbox_current;
+# Common to adbd and adbd_tradeinmode.
+attribute adbd_common;
diff --git a/private/coredomain.te b/private/coredomain.te
index 93cbff5..8a46a08 100644
--- a/private/coredomain.te
+++ b/private/coredomain.te
@@ -220,6 +220,7 @@
neverallow {
coredomain
-adbd
+ -adbd_tradeinmode
-init
-mediaprovider
-system_server
diff --git a/private/domain.te b/private/domain.te
index 03bcb85..ceab2dd 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -816,6 +816,7 @@
neverallow {
domain
-adbd
+ -adbd_tradeinmode
-dumpstate
-fastbootd
-hal_camera_server
diff --git a/private/property.te b/private/property.te
index 40beca5..c746cb3 100644
--- a/private/property.te
+++ b/private/property.te
@@ -1,5 +1,6 @@
# Properties used only in /system
system_internal_prop(adbd_prop)
+system_internal_prop(adbd_tradeinmode_prop)
system_internal_prop(apexd_payload_metadata_prop)
system_internal_prop(ctl_snapuserd_prop)
system_internal_prop(crashrecovery_prop)
@@ -509,6 +510,7 @@
-init
-vendor_init
-adbd
+ -adbd_tradeinmode
-system_server
} {
adbd_config_prop
@@ -519,6 +521,7 @@
domain
-init
-adbd
+ -adbd_tradeinmode
} {
adbd_prop
}:property_service set;
diff --git a/private/property_contexts b/private/property_contexts
index 999a69a..ea2df66 100644
--- a/private/property_contexts
+++ b/private/property_contexts
@@ -51,6 +51,7 @@
security.lower_kptr_restrict u:object_r:lower_kptr_restrict_prop:s0
service.adb.root u:object_r:shell_prop:s0
service.adb.tls.port u:object_r:adbd_prop:s0
+persist.adb.tradeinmode u:object_r:adbd_tradeinmode_prop:s0
persist.adb.wifi. u:object_r:adbd_prop:s0
persist.adb.tls_server.enable u:object_r:system_adbd_prop:s0
diff --git a/private/system_server.te b/private/system_server.te
index fc4faef..063c2ed 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -1134,9 +1134,9 @@
# Connect to adbd and use a socket transferred from it.
# Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+allow system_server adbd_common:unix_stream_socket connectto;
+allow system_server adbd_common:fd use;
+allow system_server adbd_common:unix_stream_socket { getattr getopt ioctl read write shutdown };
# Read service.adb.tls.port, persist.adb.wifi. properties
get_prop(system_server, adbd_prop)