adbd.te revision 3b9fd5ffcd3badffc08e3e71ba4cc41d3a73c9e4
1# adbd seclabel is specified in init.rc since 2# it lives in the rootfs and has no unique file type. 3type adbd, domain, mlstrustedsubject; 4allow adbd adb_device:chr_file rw_file_perms; 5allow adbd qemu_device:chr_file rw_file_perms; 6allow adbd self:capability { net_raw setgid setuid setpcap dac_override sys_boot sys_admin }; 7allow adbd rootfs:file { r_file_perms entrypoint }; 8allow adbd init:process sigchld; 9allow adbd self:tcp_socket *; 10allow adbd self:unix_stream_socket *; 11allow adbd node:tcp_socket node_bind; 12allow adbd port:tcp_socket name_bind; 13allow adbd devpts:chr_file rw_file_perms; 14allow adbd cgroup:dir { write add_name create }; 15allow adbd labeledfs:filesystem remount; 16allow adbd shell_data_file:dir rw_dir_perms; 17allow adbd shell_data_file:file create_file_perms; 18allow adbd sdcard_type:dir create_dir_perms; 19allow adbd sdcard_type:file create_file_perms; 20 21allow adbd graphics_device:dir search; 22allow adbd graphics_device:chr_file r_file_perms; 23# XXX Run /system/bin/vdc to connect to vold. Run in a separate domain? 24allow adbd system_file:file rx_file_perms; 25unix_socket_connect(adbd, vold, vold) 26# Talk to init via the property socket. 27unix_socket_connect(adbd, property, init) 28 29# Run sh in its own domain. 30domain_auto_trans(adbd, shell_exec, shell) 31# Do not sanitize the environment of the shell. 32allow adbd shell:process noatsecure; 33 34# XXX Mostly to access system properties and keys- maybe those should be their own type? 35allow adbd system_data_file:file create_file_perms; 36allow adbd system_data_file:dir create_dir_perms; 37 38# Perform binder IPC to surfaceflinger (screencap) 39# XXX Run screencap in a separate domain? 40binder_use(adbd) 41binder_call(adbd, surfaceflinger) 42