app: connect to adbd
Permission to connect to adb was removed from untrusted_app when
the domain_deprecated attribute was removed. Add it back to support
debugging of apps. Grant to all apps as eventually
domain_deprecated will be removed from everything.
Bug: 26458796
Change-Id: I4356e6d011094cdb6829210dd0eec443b21f8496
diff --git a/app.te b/app.te
index f7f1a21..60fb0a2 100644
--- a/app.te
+++ b/app.te
@@ -231,6 +231,12 @@
# device traffic. Do not allow untrusted app to directly open tun_device
allow { appdomain -isolated_app } tun_device:chr_file { read write getattr ioctl append };
+# Connect to adbd and use a socket transferred from it.
+# This is used for e.g. adb backup/restore.
+allow appdomain adbd:unix_stream_socket connectto;
+allow appdomain adbd:fd use;
+allow appdomain adbd:unix_stream_socket { getattr getopt ioctl read write shutdown };
+
###
### Neverallow rules
###
diff --git a/shell.te b/shell.te
index 55757b0..8878873 100644
--- a/shell.te
+++ b/shell.te
@@ -21,10 +21,6 @@
allow shell misc_logd_file:file r_file_perms;
')
-# interact with adb
-allow shell adbd:fd use;
-allow shell adbd:unix_stream_socket { read write ioctl getattr };
-
# Root fs.
allow shell rootfs:dir r_dir_perms;
