Add an adb_tradeinmode type for restricted adbd. This adds sepolicy for a super restricted adbd mode. Currently, this mode has just enough permissions to handle adb connection. It also adds a new property, persist.adb.tradeinmode, which can be used to enter this restricted version of adbd. Test: manual test Bug: 307713521 Change-Id: I99963f27ebab615332cb971701d1c06ea01332a1

commit: 3fce5ad00269b135ddcb8fc20e3641a681d46028 [log] [tgz]
author: David Anderson <dvander@google.com> Fri Oct 11 08:58:23 2024 -0700
committer: David Anderson <dvander@google.com> Tue Oct 15 10:12:56 2024 -0700
tree: 4dddccfca8be10022f8b97bff80c7bbc311c73b4
parent: 0fbd29a64cd109c13392324ad2c27d205dbfd4d9 [diff] [blame]
diff --git a/private/system_server.te b/private/system_server.te
index fc4faef..063c2ed 100644
--- a/private/system_server.te
+++ b/private/system_server.te

@@ -1134,9 +1134,9 @@
 
 # Connect to adbd and use a socket transferred from it.
 # Used for e.g. jdwp.
-allow system_server adbd:unix_stream_socket connectto;
-allow system_server adbd:fd use;
-allow system_server adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+allow system_server adbd_common:unix_stream_socket connectto;
+allow system_server adbd_common:fd use;
+allow system_server adbd_common:unix_stream_socket { getattr getopt ioctl read write shutdown };
 
 # Read service.adb.tls.port, persist.adb.wifi. properties
 get_prop(system_server, adbd_prop)
commit	3fce5ad00269b135ddcb8fc20e3641a681d46028	[log] [tgz]
author	David Anderson <dvander@google.com>	Fri Oct 11 08:58:23 2024 -0700
committer	David Anderson <dvander@google.com>	Tue Oct 15 10:12:56 2024 -0700
tree	4dddccfca8be10022f8b97bff80c7bbc311c73b4
parent	0fbd29a64cd109c13392324ad2c27d205dbfd4d9 [diff] [blame]