From 2fdeab3789ec6e5ec6f7424abf41a9aaa73564b0 Mon Sep 17 00:00:00 2001
From: Jeff Vander Stoep <jeffv@google.com>
Date: Mon, 25 Jan 2016 15:20:05 -0800
Subject: [PATCH] app: connect to adbd

Permission to connect to adb was removed from untrusted_app when
the domain_deprecated attribute was removed. Add it back to support
debugging of apps. Grant to all apps as eventually
domain_deprecated will be removed from everything.

Bug: 26458796
Change-Id: I4356e6d011094cdb6829210dd0eec443b21f8496
---
 app.te   | 6 ++++++
 shell.te | 4 ----
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/app.te b/app.te
index f7f1a2170..60fb0a22d 100644
--- a/app.te
+++ b/app.te
@@ -231,6 +231,12 @@ auditallow { appdomain userdebug_or_eng(`-su') } sysfs:file r_file_perms;
 # device traffic. Do not allow untrusted app to directly open tun_device
 allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
 
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
 ###
 ### Neverallow rules
 ###
diff --git a/shell.te b/shell.te
index 55757b043..887887316 100644
--- a/shell.te
+++ b/shell.te
@@ -21,10 +21,6 @@ userdebug_or_eng(`
   allow shell misc_logd_file:file r_file_perms;
 ')
 
-# interact with adb
-allow shell adbd:fd use;
-allow shell adbd:unix_stream_socket { read write ioctl getattr };
-
 # Root fs.
 allow shell rootfs:dir r_dir_perms;
 
-- 
GitLab