77cc05502f
Newer adbd versions use functionfs instead of a custom adb usb gadget.
Make sure the functionfs filesystem is properly labeled, and that adbd
has access to the functionfs files.
Once labeled, this addresses the following denials:
<12>[ 16.127191] type=1400 audit(949060866.189:4): avc: denied { read write } for pid=223 comm="adbd" name="ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[ 16.127406] type=1400 audit(949060866.189:5): avc: denied { open } for pid=223 comm="adbd" path="/dev/usb-ffs/adb/ep0" dev="functionfs" ino=5489 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
<12>[ 377.366011] type=1400 audit(949061227.419:16): avc: denied { ioctl } for pid=225 comm="adbd" path="/dev/usb-ffs/adb/ep2" dev="functionfs" ino=5564 scontext=u:r:adbd:s0 tcontext=u:object_r:functionfs:s0 tclass=file
Change-Id: Iee8b522e48b4d677fd12f7c83dbc7ffbc9543ad2
70 lines
2.1 KiB
Plaintext
70 lines
2.1 KiB
Plaintext
# adbd seclabel is specified in init.rc since
|
|
# it lives in the rootfs and has no unique file type.
|
|
type adbd, domain;
|
|
|
|
userdebug_or_eng(`
|
|
allow adbd su:process dyntransition;
|
|
')
|
|
|
|
domain_auto_trans(adbd, shell_exec, shell)
|
|
# this is an entrypoint
|
|
allow adbd rootfs:file entrypoint;
|
|
|
|
# Do not sanitize the environment or open fds of the shell.
|
|
allow adbd shell:process noatsecure;
|
|
|
|
# Set UID and GID to shell. Set supplementary groups.
|
|
allow adbd self:capability { setuid setgid };
|
|
|
|
# Drop capabilities from bounding set on user builds.
|
|
allow adbd self:capability setpcap;
|
|
|
|
# Create and use network sockets.
|
|
net_domain(adbd)
|
|
|
|
# Access /dev/android_adb or /dev/usb-ffs/adb/ep0
|
|
allow adbd adb_device:chr_file rw_file_perms;
|
|
allow adbd functionfs:dir search;
|
|
allow adbd functionfs:file rw_file_perms;
|
|
|
|
# Use a pseudo tty.
|
|
allow adbd devpts:chr_file rw_file_perms;
|
|
|
|
# adb push/pull /data/local/tmp.
|
|
allow adbd shell_data_file:dir rw_dir_perms;
|
|
allow adbd shell_data_file:file create_file_perms;
|
|
|
|
# adb push/pull sdcard.
|
|
allow adbd sdcard_type:dir create_dir_perms;
|
|
allow adbd sdcard_type:file create_file_perms;
|
|
|
|
# Set service.adb.*, sys.powerctl properties.
|
|
unix_socket_connect(adbd, property, init)
|
|
allow adbd shell_prop:property_service set;
|
|
allow adbd powerctl_prop:property_service set;
|
|
|
|
# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain?
|
|
# Also covers running /system/bin/bu.
|
|
allow adbd system_file:file rx_file_perms;
|
|
unix_socket_connect(adbd, vold, vold)
|
|
|
|
# Perform binder IPC to surfaceflinger (screencap)
|
|
# XXX Run screencap in a separate domain?
|
|
binder_use(adbd)
|
|
binder_call(adbd, surfaceflinger)
|
|
# b/13188914
|
|
allow adbd gpu_device:chr_file rw_file_perms;
|
|
|
|
# Read /data/misc/adb/adb_keys.
|
|
allow adbd adb_keys_file:dir search;
|
|
allow adbd adb_keys_file:file r_file_perms;
|
|
|
|
# ndk-gdb invokes adb forward to forward the gdbserver socket.
|
|
allow adbd app_data_file:dir search;
|
|
allow adbd app_data_file:sock_file write;
|
|
allow adbd appdomain:unix_stream_socket connectto;
|
|
|
|
# ndk-gdb invokes adb pull of app_process, linker, and libc.so.
|
|
allow adbd zygote_exec:file r_file_perms;
|
|
allow adbd system_file:file r_file_perms;
|