Stephen Smalley  committed 431f549 Merge with conflicts

Merge branch 'master' into seandroid


  • Participants
  • Parent commits 1e37e06, 4e39317
  • Branches seandroid, seandroid-4.4

Comments (0)

Files changed (1)

 # adbd seclabel is specified in init.rc since
 # it lives in the rootfs and has no unique file type.
 type adbd, domain, mlstrustedsubject;
+domain_auto_trans(adbd, shell_exec, shell)
+# this is an entrypoint
+allow adbd rootfs:file entrypoint;
+# Do not sanitize the environment or open fds of the shell.
+allow adbd shell:process noatsecure;
+# Set UID and GID to shell.  Set supplementary groups.
+allow adbd self:capability { setuid setgid };
+# Create and use network sockets.
+# Access /dev/android_adb.
 allow adbd adb_device:chr_file rw_file_perms;
+# On emulator, access /dev/qemu*.
 allow adbd qemu_device:chr_file rw_file_perms;
-allow adbd self:capability { net_raw setgid setuid setpcap dac_override sys_boot sys_admin };
-allow adbd rootfs:file { read entrypoint };
-allow adbd init:process sigchld;
-allow adbd self:tcp_socket *;
-allow adbd self:unix_stream_socket *;
-allow adbd node:tcp_socket node_bind;
-allow adbd port:tcp_socket name_bind;
+# Use a pseudo tty.
 allow adbd devpts:chr_file rw_file_perms;
-allow adbd cgroup:dir { write add_name create };
-allow adbd labeledfs:filesystem remount;
+# adb push/pull /data/local/tmp.
 allow adbd shell_data_file:dir rw_dir_perms;
 allow adbd shell_data_file:file create_file_perms;
+# adb push/pull sdcard.
 allow adbd sdcard_type:dir create_dir_perms;
 allow adbd sdcard_type:file create_file_perms;
-allow adbd graphics_device:dir search;
-allow adbd graphics_device:chr_file r_file_perms;
+# Set service.adb.*, sys.powerctl properties.
+unix_socket_connect(adbd, property, init)
+allow adbd shell_prop:property_service set;
+allow adbd powerctl_prop:property_service set;
 # XXX Run /system/bin/vdc to connect to vold.  Run in a separate domain?
+# Also covers running /system/bin/bu.
 allow adbd system_file:file rx_file_perms;
 unix_socket_connect(adbd, vold, vold)
-# Talk to init via the property socket.
-unix_socket_connect(adbd, property, init)
-# Run sh in its own domain.
-domain_auto_trans(adbd, shell_exec, shell)
-# Do not sanitize the environment of the shell.
-allow adbd shell:process noatsecure;
 # Perform binder IPC to surfaceflinger (screencap)
 # XXX Run screencap in a separate domain?
 allow adbd adb_keys_file:dir search;
 allow adbd adb_keys_file:file r_file_perms;
-# Set sys.powerctl
-allow adbd powerctl_prop:property_service set;
 # ndk-gdb invokes adb forward to forward the gdbserver socket.
 allow adbd app_data_file:dir search;
 allow adbd app_data_file:sock_file write;