summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNick Kralevich <nnk@google.com>2014-01-18 09:25:04 -0800
committerNick Kralevich <nnk@google.com>2014-01-22 14:20:17 -0800
commitd49aa2537cf0b454dfaa4b0312a403ebff202d70 (patch)
tree872758864bb935904df0daa6eb824b6bfec0f3da
parent1db584b899dffca884c3842c07da189f7c9af470 (diff)
downloadsystem_core-d49aa2537cf0b454dfaa4b0312a403ebff202d70.zip
system_core-d49aa2537cf0b454dfaa4b0312a403ebff202d70.tar.gz
system_core-d49aa2537cf0b454dfaa4b0312a403ebff202d70.tar.bz2
adbd: switch to su domain when running as root
When adbd runs as root, it should transition into the su domain. This is needed to run the adbd and shell domains in enforcing on userdebug / eng devices without breaking developer workflows. Introduce a new device_banner command line option. Change-Id: Ib33c0dd2dd6172035230514ac84fcaed2ecf44d6
-rw-r--r--adb/adb.c36
-rw-r--r--rootdir/init.rc2
2 files changed, 30 insertions, 8 deletions
diff --git a/adb/adb.c b/adb/adb.c
index 41270f9..665e958 100644
--- a/adb/adb.c
+++ b/adb/adb.c
@@ -39,6 +39,8 @@
#include <sys/capability.h>
#include <linux/prctl.h>
#include <sys/mount.h>
+#include <getopt.h>
+#include <selinux/selinux.h>
#else
#include "usb_vendors.h"
#endif
@@ -54,6 +56,7 @@ static int auth_enabled = 0;
#if !ADB_HOST
static const char *adb_device_banner = "device";
+static const char *root_seclabel = NULL;
#endif
void fatal(const char *fmt, ...)
@@ -1356,6 +1359,12 @@ int adb_main(int is_daemon, int server_port)
D("Local port disabled\n");
} else {
char local_name[30];
+ if ((root_seclabel != NULL) && (is_selinux_enabled() > 0)) {
+ // b/12587913: fix setcon to allow const pointers
+ if (setcon((char *)root_seclabel) < 0) {
+ exit(1);
+ }
+ }
build_local_name(local_name, sizeof(local_name), server_port);
if(install_listener(local_name, "*smartsocket*", NULL, 0)) {
exit(1);
@@ -1642,10 +1651,6 @@ int handle_host_request(char *service, transport_type ttype, char* serial, int r
return -1;
}
-#if !ADB_HOST
-int recovery_mode = 0;
-#endif
-
int main(int argc, char **argv)
{
#if ADB_HOST
@@ -1657,9 +1662,26 @@ int main(int argc, char **argv)
/* If adbd runs inside the emulator this will enable adb tracing via
* adb-debug qemud service in the emulator. */
adb_qemu_trace_init();
- if((argc > 1) && (!strcmp(argv[1],"recovery"))) {
- adb_device_banner = "recovery";
- recovery_mode = 1;
+ while(1) {
+ int c;
+ int option_index = 0;
+ static struct option opts[] = {
+ {"root_seclabel", required_argument, 0, 's' },
+ {"device_banner", required_argument, 0, 'b' }
+ };
+ c = getopt_long(argc, argv, "", opts, &option_index);
+ if (c == -1)
+ break;
+ switch (c) {
+ case 's':
+ root_seclabel = optarg;
+ break;
+ case 'b':
+ adb_device_banner = optarg;
+ break;
+ default:
+ break;
+ }
}
start_device_log();
diff --git a/rootdir/init.rc b/rootdir/init.rc
index a66a2e4..a32366c 100644
--- a/rootdir/init.rc
+++ b/rootdir/init.rc
@@ -442,7 +442,7 @@ on property:ro.debuggable=1
start console
# adbd is controlled via property triggers in init.<platform>.usb.rc
-service adbd /sbin/adbd
+service adbd /sbin/adbd --root_seclabel=u:r:su:s0
class core
socket adbd stream 660 system system
disabled