Skip to content
Snippets Groups Projects
Commit 6c768d74 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

adbd: disallow non-shell domain transitions. 

Make sure adbd can't transition to other non-shell domains,
and in particular, can't transition to the su user on user builds.

Bug: 27270128
Change-Id: I67dc974da460d63879f5ff3e1258af8eb790a815
parent 3541843a
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 10 additions and 0 deletions
adbd.te
+ 10
0
View file @ 6c768d74
...@@ -100,3 +100,13 @@ allow adbd storage_file:dir r_dir_perms; ...@@ -100,3 +100,13 @@ allow adbd storage_file:dir r_dir_perms;
allow adbd storage_file:lnk_file r_file_perms; allow adbd storage_file:lnk_file r_file_perms;
allow adbd mnt_user_file:dir r_dir_perms; allow adbd mnt_user_file:dir r_dir_perms;
allow adbd mnt_user_file:lnk_file r_file_perms; allow adbd mnt_user_file:lnk_file r_file_perms;
###
### Neverallow rules
###
# No transitions from adbd to non-shell domains. adbd only ever
# transitions to the shell domain. In particular, we never want
# to see a transition from adbd to su (aka "adb root")
neverallow adbd { domain -shell }:process transition;
neverallow adbd { domain userdebug_or_eng(`-su') }:process dyntransition;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment