Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9bae515e6daf10536bb95a508b344422f56bf01a^! / . / private / adbd_common.te
commit9bae515e6daf10536bb95a508b344422f56bf01a[log] [tgz]
authorDavid Anderson <dvander@google.com>Thu Sep 19 20:36:11 2024 -0700
committerDavid Anderson <dvander@google.com>Mon Sep 23 15:50:13 2024 -0700
tree01d22de3fbd85e5e517765a932c8c62e95584191
parent46edb56c232bce3bf5bcd7401cdb5e966c07ee02 [diff] [blame]
Split adbd.te into adbd.te and adbd_common.te.

In trade-in mode, adbd will setcon() itself to a much lower privileged
sepolicy so that only a single command will work: "adb shell
tradeinmode". To make this work we are refactoring adbd.te.

This splits the most critical parts of adbd.te into a separate file,
adbd_common.te, so that it is clear which permissions need to be
inherited by both normal adbd and trade-in mode.

adbd_common.te was created by running adbd in a context with no
privileges, and then iteratively moving lines from adbd.te based on
audit messages, until "adb shell" could drop into a totally useless
shell.

Ideally, this change would have been to introduce a new attribute that
could be inherited. However trunk stable makes this exceedingly
difficult, so instead we opt for a small amount of duplication.

Bug: 307713521
Test: adb still works on cuttlefish
Change-Id: Ia77f9ea3a12e697805b331c1379421d124e013d2

diff --git a/private/adbd_common.te b/private/adbd_common.te
new file mode 100644
index 0000000..6cf8e49
--- /dev/null
+++ b/private/adbd_common.te

@@ -0,0 +1,35 @@
+### ADB daemon common rules.
+### Put things here that are needed for both adbd proper and adbd in trade-in mode.
+
+# Connect to mdnsd via mdnsd socket.
+unix_socket_connect(adbd, mdnsd, mdnsd)
+
+# adbd probes for vsock support. Do not generate denials when
+# this occurs. (b/123569840)
+dontaudit { adbd } self:{ socket vsock_socket } create;
+
+# Allow adbd inside vm to forward vm's vsock.
+allow { adbd } self:vsock_socket { create_socket_perms_no_ioctl listen accept };
+
+# Access device logging gating property
+get_prop(adbd, device_logging_prop)
+
+# Use a pseudo tty.
+allow { adbd } devpts:chr_file rw_file_perms;
+
+# adb push/pull /data/local/tmp.
+allow { adbd } shell_data_file:dir create_dir_perms;
+allow { adbd } shell_data_file:file create_file_perms;
+
+# Read persist.adb.tls_server.enable property
+get_prop(adbd, system_adbd_prop)
+
+# Read whether or not Test Harness Mode is enabled
+get_prop(adbd, test_harness_prop)
+
+# Set service.adb.tcp.port, service.adb.tls.port, persist.adb.wifi.* properties
+set_prop(adbd, adbd_prop)
+set_prop(adbd, adbd_config_prop)
+
+# Read device's serial number from system properties
+get_prop(adbd, serialno_prop)