Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 3fce5ad00269b135ddcb8fc20e3641a681d46028^! / . / private / adbd_common.te
commit3fce5ad00269b135ddcb8fc20e3641a681d46028[log] [tgz]
authorDavid Anderson <dvander@google.com>Fri Oct 11 08:58:23 2024 -0700
committerDavid Anderson <dvander@google.com>Tue Oct 15 10:12:56 2024 -0700
tree4dddccfca8be10022f8b97bff80c7bbc311c73b4
parent0fbd29a64cd109c13392324ad2c27d205dbfd4d9 [diff] [blame]
Add an adb_tradeinmode type for restricted adbd.

This adds sepolicy for a super restricted adbd mode. Currently, this
mode has just enough permissions to handle adb connection.

It also adds a new property, persist.adb.tradeinmode, which can be used
to enter this restricted version of adbd.

Test: manual test
Bug: 307713521
Change-Id: I99963f27ebab615332cb971701d1c06ea01332a1

diff --git a/private/adbd_common.te b/private/adbd_common.te
index 6cf8e49..c24b029 100644
--- a/private/adbd_common.te
+++ b/private/adbd_common.te

@@ -2,34 +2,30 @@
 ### Put things here that are needed for both adbd proper and adbd in trade-in mode.
 
 # Connect to mdnsd via mdnsd socket.
-unix_socket_connect(adbd, mdnsd, mdnsd)
+unix_socket_connect(adbd_common, mdnsd, mdnsd)
 
 # adbd probes for vsock support. Do not generate denials when
 # this occurs. (b/123569840)
-dontaudit { adbd } self:{ socket vsock_socket } create;
+dontaudit adbd_common self:{ socket vsock_socket } create;
 
 # Allow adbd inside vm to forward vm's vsock.
-allow { adbd } self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+allow adbd_common self:vsock_socket { create_socket_perms_no_ioctl listen accept };
 
 # Access device logging gating property
-get_prop(adbd, device_logging_prop)
+get_prop(adbd_common, device_logging_prop)
 
 # Use a pseudo tty.
-allow { adbd } devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow { adbd } shell_data_file:dir create_dir_perms;
-allow { adbd } shell_data_file:file create_file_perms;
+allow adbd_common devpts:chr_file rw_file_perms;
 
 # Read persist.adb.tls_server.enable property
-get_prop(adbd, system_adbd_prop)
+get_prop(adbd_common, system_adbd_prop)
 
 # Read whether or not Test Harness Mode is enabled
-get_prop(adbd, test_harness_prop)
+get_prop(adbd_common, test_harness_prop)
 
 # Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
-set_prop(adbd, adbd_prop)
-set_prop(adbd, adbd_config_prop)
+set_prop(adbd_common, adbd_prop)
+set_prop(adbd_common, adbd_config_prop)
 
 # Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
+get_prop(adbd_common, serialno_prop)