Split adbd.te into adbd.te and adbd_common.te.
In trade-in mode, adbd will setcon() itself to a much lower privileged
sepolicy so that only a single command will work: "adb shell
tradeinmode". To make this work we are refactoring adbd.te.
This splits the most critical parts of adbd.te into a separate file,
adbd_common.te, so that it is clear which permissions need to be
inherited by both normal adbd and trade-in mode.
adbd_common.te was created by running adbd in a context with no
privileges, and then iteratively moving lines from adbd.te based on
audit messages, until "adb shell" could drop into a totally useless
shell.
Ideally, this change would have been to introduce a new attribute that
could be inherited. However trunk stable makes this exceedingly
difficult, so instead we opt for a small amount of duplication.
Bug: 307713521
Test: adb still works on cuttlefish
Change-Id: Ia77f9ea3a12e697805b331c1379421d124e013d2
diff --git a/private/adbd.te b/private/adbd.te
index 154a04c..a298f08 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -40,18 +40,8 @@
# ignore spurious denials for adbd when disk space is low.
dontaudit adbd self:global_capability_class_set sys_resource;
-# adbd probes for vsock support. Do not generate denials when
-# this occurs. (b/123569840)
-dontaudit adbd self:{ socket vsock_socket } create;
-
-# Allow adbd inside vm to forward vm's vsock.
-allow adbd self:vsock_socket { create_socket_perms_no_ioctl listen accept };
-
# Create and use network sockets.
net_domain(adbd)
-# Connect to mdnsd via mdnsd socket.
-unix_socket_connect(adbd, mdnsd, mdnsd)
-
# Access /dev/usb-ffs/adb/ep0
allow adbd functionfs:dir search;
allow adbd functionfs:file rw_file_perms;
@@ -60,13 +50,6 @@
FUNCTIONFS_CLEAR_HALT
};
-# Use a pseudo tty.
-allow adbd devpts:chr_file rw_file_perms;
-
-# adb push/pull /data/local/tmp.
-allow adbd shell_data_file:dir create_dir_perms;
-allow adbd shell_data_file:file create_file_perms;
-
# adb pull /data/local/traces/*
allow adbd trace_data_file:dir r_dir_perms;
allow adbd trace_data_file:file r_file_perms;
@@ -96,25 +79,9 @@
get_prop(adbd, ffs_config_prop)
set_prop(adbd, ffs_control_prop)
-# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
-set_prop(adbd, adbd_prop)
-set_prop(adbd, adbd_config_prop)
-
# Allow adbd start/stop mdnsd via ctl.start
set_prop(adbd, ctl_mdnsd_prop)
-# Access device logging gating property
-get_prop(adbd, device_logging_prop)
-
-# Read device's serial number from system properties
-get_prop(adbd, serialno_prop)
-
-# Read whether or not Test Harness Mode is enabled
-get_prop(adbd, test_harness_prop)
-
-# Read persist.adb.tls_server.enable property
-get_prop(adbd, system_adbd_prop)
-
# Read device's overlayfs related properties and files
userdebug_or_eng(`
get_prop(adbd, persistent_properties_ready_prop)
diff --git a/private/adbd_common.te b/private/adbd_common.te
new file mode 100644
index 0000000..6cf8e49
--- /dev/null
+++ b/private/adbd_common.te
@@ -0,0 +1,35 @@
+### ADB daemon common rules.
+### Put things here that are needed for both adbd proper and adbd in trade-in mode.
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(adbd, mdnsd, mdnsd)
+
+# adbd probes for vsock support. Do not generate denials when
+# this occurs. (b/123569840)
+dontaudit { adbd } self:{ socket vsock_socket } create;
+
+# Allow adbd inside vm to forward vm's vsock.
+allow { adbd } self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Access device logging gating property
+get_prop(adbd, device_logging_prop)
+
+# Use a pseudo tty.
+allow { adbd } devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow { adbd } shell_data_file:dir create_dir_perms;
+allow { adbd } shell_data_file:file create_file_perms;
+
+# Read persist.adb.tls_server.enable property
+get_prop(adbd, system_adbd_prop)
+
+# Read whether or not Test Harness Mode is enabled
+get_prop(adbd, test_harness_prop)
+
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
+set_prop(adbd, adbd_prop)
+set_prop(adbd, adbd_config_prop)
+
+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)