app: connect to adbd

Permission to connect to adb was removed from untrusted_app when the domain_deprecated attribute was removed. Add it back to support debugging of apps. Grant to all apps as eventually domain_deprecated will be removed from everything. Bug: 26458796 Change-Id: I4356e6d011094cdb6829210dd0eec443b21f8496

app: connect to adbd
2fdeab37 · Jeff Vander Stoep · 45517a75 · 2fdeab37 · 2fdeab37
Commit 2fdeab37 authored 9 years ago by Jeff Vander Stoep
--- a/app.te
+++ b/app.te
@@ -231,6 +231,12 @@ auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
 # device traffic. Do not allow untrusted app to directly open tun_device
 allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };

+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
 ###
 ### Neverallow rules
 ###

--- a/shell.te
+++ b/shell.te
@@ -21,10 +21,6 @@ userdebug_or_eng(`
  allow shell misc_logd_file:file r_file_perms;
 ')

-# interact with adb
-allow shell adbd:fd use;
-allow shell adbd:unix_stream_socket { read write ioctl getattr };
-
 # Root fs.
 allow shell rootfs:dir r_dir_perms;