DO NOT MERGE: allow access to labeled executables in /system

Most files on /system are labeled with the "system_file" label, and are readable by default by all SELinux domains. However, select executables are labeled with their own label, so that SELinux knows what domains to enter upon running the executable. Allow adbd read access to labeled executables in /system. We do this by granting adbd read access to exec_type, the attribute assigned to all executables on /system. This allows "adb pull /system" to work without generating SELinux denials. Bug: 18078338 Change-Id: I97783759af083968890f15f7b1d8fff989e80604
2014-10-21 22:39:42 -07:00 · 2014-10-21 22:39:42 -07:00 · 2c38b3b809
commit 2c38b3b809
parent 480374e4d0
1 changed files with 4 additions and 0 deletions
--- a/adbd.te
+++ b/adbd.te
@ -65,6 +65,10 @@ allow adbd app_data_file:dir search;
 allow adbd app_data_file:sock_file write;
 allow adbd appdomain:unix_stream_socket connectto;

+# b/18078338 - allow read access to executable types on /system
+# to assist with debugging OTA issues.
+allow adbd exec_type:file r_file_perms;
+
 # ndk-gdb invokes adb pull of app_process, linker, and libc.so.
 allow adbd zygote_exec:file r_file_perms;
 allow adbd system_file:file r_file_perms;