packages/architect/emulator/emulator_access.json
// https://android.googlesource.com/platform/prebuilts/android-emulator/+/refs/heads/main/linux-x86_64/lib/emulator_access.json
// This contains the allow lists of the emulator gRPC endpoint.
// This list defines which sets of methods are accessible by whom.
//
// You can protect the gRPC services as follows:
//
// - Unprotected: The set of methods that can be invoked even when
// no access token is presented. No security checks will
// be performed when these methods are invoked.
//
// - allowlist: A set of json objects that specifies for each token issuer,
// what is allowed and what requires an "aud" field.
//
// - "iss": The token issuer.
// - "allowed": List of methods which are allowed, even if no "aud" field
// is present on the jwt token.
// - "protected": List of methods which are allowed *ONLY IF* the given method
// is present in the "aud" field of the jwt token.
// Note: Methods that are not on the allowed or protected list will ALWAYS be rejected.
{
// Set of methods that do not require any validations, they do not require a token.
// You are always able to invoke this method, without presenting any form of authentication.
// This is a list of regular expressions. Access will be granted if the regular expression
// matches the endpoint.
"unprotected": [
".*" // Matches every method, no authentication will be used **DANGER**
// "/android.emulation.control.SnapshotService.*" // Everyone can make snapshots.
],
// List of methods that require a token, these are the methods
// we will allow if you present a signed JWT token.
"allowlist": [
{
// Removing android-studio from the allowlist *WILL* break the embedded emulator.
// You probably do not want to change this.
"iss": "android-studio", // Tokens issued by android-studio
// Can access the following set of methods, even if the AUD claim for
// the given method is *NOT* present.
"allowed": [
"/android.emulation.control.EmulatorController/.*",
// Interaction with extended controls.
"/android.emulation.control.UiController/.*",
// Snapshot related functions
"/android.emulation.control.SnapshotService/.*",
// Incubating services
"/android.emulation.control.incubating.*"
]
},
{
"iss": "icebox",
"protected": [
"/android.emulation.control.SnapshotService/PullSnapshot",
"/android.emulation.control.SnapshotService/DeleteSnapshot",
"/android.emulation.control.SnapshotService/TrackProcess"
]
},
{
// For tokens issued by gradle we have the following restrictions:
"iss": "gradle-utp-emulator-control",
// Can access the following set of methods, even if the AUD claim for
// the given method is *NOT* present.
//
// Usually these are methods that do not present a significant amount
// of danger.
"allowed": [
"/android.emulation.control.EmulatorController/getSensor",
"/android.emulation.control.EmulatorController/setSensor",
"/android.emulation.control.EmulatorController/setPhysicalModel",
"/android.emulation.control.EmulatorController/getPhysicalModel",
"/android.emulation.control.EmulatorController/streamPhysicalModel",
"/android.emulation.control.EmulatorController/setBattery",
"/android.emulation.control.EmulatorController/getBattery",
"/android.emulation.control.EmulatorController/setGps",
"/android.emulation.control.EmulatorController/getGps",
"/android.emulation.control.EmulatorController/sendPhone",
"/android.emulation.control.EmulatorController/sendSms",
"/android.emulation.control.EmulatorController/setDisplayConfigurations",
"/android.emulation.control.EmulatorController/getDisplayConfigurations",
"/android.emulation.control.EmulatorController/rotateVirtualSceneCamera",
"/android.emulation.control.EmulatorController/setVirtualSceneCameraVelocity",
"/android.emulation.control.EmulatorController/setPosture",
"/android.emulation.control.EmulatorController/getBrightness",
"/android.emulation.control.EmulatorController/setBrightness"
],
// Set of methods that can *ONLY* be accessed if given regex matches
// the entry on the "aud" claim.
"protected": [
"/android.emulation.control.EmulatorController/getScreenshot",
"/android.emulation.control.EmulatorController/streamScreenshot",
// Clipboard access can be used to exchange data between the guest
// and the host.
"/android.emulation.control.EmulatorController/setClipboard",
"/android.emulation.control.EmulatorController/getClipboard",
"/android.emulation.control.EmulatorController/streamClipboard",
// Can be used to "authenticate" with bio-data.
"/android.emulation.control.EmulatorController/sendFingerprint",
// Touch, key and mouse can be used to manipulate device state
"/android.emulation.control.EmulatorController/sendKey",
"/android.emulation.control.EmulatorController/sendTouch",
"/android.emulation.control.EmulatorController/sendMouse",
// Could be used to trigger the assistant through "Hey Google!"
"/android.emulation.control.EmulatorController/injectAudio",
"/android.emulation.control.EmulatorController/streamAudio",
"/android.emulation.control.EmulatorController/getLogcat",
"/android.emulation.control.EmulatorController/streamLogcat",
// Could be used to observe the device state.
"/android.emulation.control.EmulatorController/getStatus",
"/android.emulation.control.EmulatorController/streamNotification"
]
}
]
}