From 6c768d74870f8ec968fd87aa8c534745698a1867 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 7 Apr 2016 14:04:41 -0700
Subject: [PATCH] adbd: disallow non-shell domain transitions.

Make sure adbd can't transition to other non-shell domains,
and in particular, can't transition to the su user on user builds.

Bug: 27270128
Change-Id: I67dc974da460d63879f5ff3e1258af8eb790a815
---
 adbd.te | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/adbd.te b/adbd.te
index 2734a331a..68a37a74d 100644
--- a/adbd.te
+++ b/adbd.te
@@ -100,3 +100,13 @@ allow adbd storage_file:dir r_dir_perms;
 allow adbd storage_file:lnk_file r_file_perms;
 allow adbd mnt_user_file:dir r_dir_perms;
 allow adbd mnt_user_file:lnk_file r_file_perms;
+
+###
+### Neverallow rules
+###
+
+# No transitions from adbd to non-shell domains. adbd only ever
+# transitions to the shell domain. In particular, we never want
+# to see a transition from adbd to su (aka "adb root")
+neverallow adbd { domain -shell }:process transition;
+neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
-- 
GitLab