| # volume manager |
| type vold, domain; |
| type vold_exec, exec_type, file_type, system_file_type; |
| |
| # Read already opened /cache files. |
| allow vold cache_file:dir r_dir_perms; |
| allow vold cache_file:file { getattr read }; |
| allow vold cache_file:lnk_file r_file_perms; |
| |
| r_dir_file(vold, { sysfs_type -sysfs_batteryinfo }) |
| # XXX Label sysfs files with a specific type? |
| allow vold { |
| sysfs # writing to /sys/*/uevent during coldboot. |
| sysfs_devices_block |
| sysfs_dm |
| sysfs_loop # writing to /sys/block/loop*/uevent during coldboot. |
| sysfs_usb |
| sysfs_zram_uevent |
| sysfs_fs_f2fs |
| }:file w_file_perms; |
| |
| r_dir_file(vold, rootfs) |
| r_dir_file(vold, metadata_file) |
| allow vold { |
| proc # b/67049235 processes /proc/<pid>/* files are mislabeled. |
| proc_bootconfig |
| proc_cmdline |
| proc_drop_caches |
| proc_filesystems |
| proc_meminfo |
| proc_mounts |
| }:file r_file_perms; |
| |
| #Get file contexts |
| allow vold file_contexts_file:file r_file_perms; |
| |
| # Allow us to jump into execution domains of above tools |
| allow vold self:process setexec; |
| |
| # For formatting adoptable storage devices |
| allow vold e2fs_exec:file rx_file_perms; |
| |
| # Run fstrim on mounted partitions |
| # allowxperm still requires the ioctl permission for the individual type |
| allowxperm vold { fs_type file_type }:dir ioctl FITRIM; |
| |
| # Get/set file-based encryption policies on dirs in /data and adoptable storage, |
| # and add/remove file-based encryption keys. |
| allowxperm vold data_file_type:dir ioctl { |
| FS_IOC_GET_ENCRYPTION_POLICY |
| FS_IOC_SET_ENCRYPTION_POLICY |
| FS_IOC_ADD_ENCRYPTION_KEY |
| FS_IOC_REMOVE_ENCRYPTION_KEY |
| FS_IOC_GET_ENCRYPTION_KEY_STATUS |
| }; |
| |
| # Only vold and init should ever set file-based encryption policies. |
| neverallowxperm { |
| domain |
| -vold |
| -init |
| -vendor_init |
| } data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY }; |
| |
| # Only vold should ever add/remove file-based encryption keys. |
| neverallowxperm { |
| domain |
| -vold |
| } data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS }; |
| |
| # Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is |
| # tried first. Otherwise, FS_IOC_FIEMAP is needed to get the |
| # location of the file's blocks on the raw block device to erase. |
| allowxperm vold { |
| vold_data_file |
| vold_metadata_file |
| }:file ioctl { |
| F2FS_IOC_SEC_TRIM_FILE |
| FS_IOC_FIEMAP |
| }; |
| |
| typeattribute vold mlstrustedsubject; |
| allow vold self:process setfscreate; |
| allow vold system_file:file x_file_perms; |
| not_full_treble(`allow vold vendor_file:file x_file_perms;') |
| allow vold block_device:dir create_dir_perms; |
| allow vold device:dir write; |
| allow vold devpts:chr_file rw_file_perms; |
| allow vold rootfs:dir mounton; |
| allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M |
| allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M |
| |
| # Manage locations where storage is mounted |
| allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms; |
| allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms; |
| |
| # Access to storage that backs emulated FUSE daemons for migration optimization |
| allow vold media_rw_data_file:dir create_dir_perms; |
| allow vold media_rw_data_file:file create_file_perms; |
| # Allow mounting (lower filesystem) on parts of media for performance |
| allow vold media_rw_data_file:dir mounton; |
| |
| # Allow setting extended attributes (for project quota IDs) on files and dirs |
| # and to enable project ID inheritance through FS_IOC_SETFLAGS |
| allowxperm vold media_rw_data_file:{ dir file } ioctl { |
| FS_IOC_FSGETXATTR |
| FS_IOC_FSSETXATTR |
| FS_IOC_GETFLAGS |
| FS_IOC_SETFLAGS |
| }; |
| |
| # Allow mounting of storage devices |
| allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; |
| |
| # Manage per-user primary symlinks |
| allow vold mnt_user_file:dir { create_dir_perms mounton }; |
| allow vold mnt_user_file:lnk_file create_file_perms; |
| allow vold mnt_user_file:file create_file_perms; |
| |
| # Manage per-user pass_through primary symlinks |
| allow vold mnt_pass_through_file:dir { create_dir_perms mounton }; |
| allow vold mnt_pass_through_file:lnk_file create_file_perms; |
| |
| # Allow to create and mount expanded storage |
| allow vold mnt_expand_file:dir { create_dir_perms mounton }; |
| allow vold apk_data_file:dir { create getattr setattr }; |
| allow vold shell_data_file:dir { create getattr setattr }; |
| |
| # Allow to mount incremental file system on /data/incremental and create files |
| allow vold apk_data_file:dir { mounton rw_dir_perms }; |
| # Allow to create and write files in /data/incremental |
| allow vold apk_data_file:file { rw_file_perms unlink }; |
| # Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files |
| allow vold apk_tmp_file:dir { mounton r_dir_perms }; |
| # Allow to read incremental control file and call selinux restorecon on it |
| allow vold incremental_control_file:file { r_file_perms relabelto }; |
| |
| allow vold tmpfs:filesystem { mount unmount }; |
| allow vold tmpfs:dir create_dir_perms; |
| allow vold tmpfs:dir mounton; |
| allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid }; |
| allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; |
| allow vold loop_control_device:chr_file rw_file_perms; |
| allow vold loop_device:blk_file { create setattr unlink rw_file_perms }; |
| allowxperm vold loop_device:blk_file ioctl { |
| LOOP_CLR_FD |
| LOOP_CTL_GET_FREE |
| LOOP_GET_STATUS64 |
| LOOP_SET_FD |
| LOOP_SET_STATUS64 |
| }; |
| allow vold vold_device:blk_file { create setattr unlink rw_file_perms }; |
| allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE }; |
| allow vold dm_device:chr_file rw_file_perms; |
| allow vold dm_device:blk_file rw_file_perms; |
| allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD }; |
| # For vold Process::killProcessesWithOpenFiles function. |
| allow vold domain:dir r_dir_perms; |
| allow vold domain:{ file lnk_file } r_file_perms; |
| allow vold domain:process { signal sigkill }; |
| allow vold self:global_capability_class_set { sys_ptrace kill }; |
| |
| allow vold kmsg_device:chr_file rw_file_perms; |
| |
| # Run fsck in the fsck domain. |
| allow vold fsck_exec:file { r_file_perms execute }; |
| |
| # Log fsck results |
| allow vold fscklogs:dir rw_dir_perms; |
| allow vold fscklogs:file create_file_perms; |
| |
| # Mount and unmount filesystems. |
| allow vold labeledfs:filesystem { mount unmount remount }; |
| |
| # Create and mount on /data/tmp_mnt and management of expansion mounts |
| allow vold { |
| system_data_file |
| system_data_root_file |
| }:dir { create rw_dir_perms mounton setattr rmdir }; |
| allow vold system_data_file:lnk_file getattr; |
| |
| # Vold create users in /data/vendor_{ce,de}/[0-9]+ |
| allow vold vendor_data_file:dir create_dir_perms; |
| |
| # for secdiscard |
| allow vold system_data_file:file read; |
| |
| # Set scheduling policy of kernel processes |
| allow vold kernel:process setsched; |
| |
| # ASEC |
| allow vold asec_image_file:file create_file_perms; |
| allow vold asec_image_file:dir rw_dir_perms; |
| allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto }; |
| allow vold asec_public_file:dir { relabelto setattr }; |
| allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; |
| allow vold asec_public_file:file { relabelto setattr }; |
| # restorecon files in asec containers created on 4.2 or earlier. |
| allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; |
| allow vold unlabeled:file { r_file_perms setattr relabelfrom }; |
| |
| # Access to FUSE control filesystem to hard-abort FUSE mounts |
| allow vold fusectlfs:file rw_file_perms; |
| allow vold fusectlfs:dir rw_dir_perms; |
| |
| # Allow vold to use wake locks. Needed for idle maintenance and moving storage. |
| wakelock_use(vold) |
| |
| # Allow vold to publish a binder service and make binder calls. |
| binder_use(vold) |
| add_service(vold, vold_service) |
| |
| # Allow vold to call into the system server so it can check permissions. |
| binder_call(vold, system_server) |
| allow vold permission_service:service_manager find; |
| |
| # talk to health storage HAL |
| hal_client_domain(vold, hal_health_storage) |
| |
| # talk to bootloader HAL |
| full_treble_only(`hal_client_domain(vold, hal_bootctl)') |
| |
| # Access userdata block device. |
| allow vold userdata_block_device:blk_file rw_file_perms; |
| allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD; |
| |
| # Access metadata block device used for encryption meta-data. |
| allow vold metadata_block_device:blk_file rw_file_perms; |
| allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD; |
| |
| # Allow vold to manipulate /data/unencrypted |
| allow vold unencrypted_data_file:{ file } create_file_perms; |
| allow vold unencrypted_data_file:dir create_dir_perms; |
| |
| # Write to /proc/sys/vm/drop_caches |
| allow vold proc_drop_caches:file w_file_perms; |
| |
| # Give vold a place where only vold can store files; everyone else is off limits |
| allow vold vold_data_file:dir create_dir_perms; |
| allow vold vold_data_file:file create_file_perms; |
| |
| # And a similar place in the metadata partition |
| allow vold vold_metadata_file:dir create_dir_perms; |
| allow vold vold_metadata_file:file create_file_perms; |
| |
| # linux keyring configuration |
| allow vold init:key { write search setattr }; |
| allow vold vold:key { write search setattr }; |
| |
| # vold temporarily changes its priority when running benchmarks |
| allow vold self:global_capability_class_set sys_nice; |
| |
| # vold needs to chroot into app namespaces to remount when runtime permissions change |
| allow vold self:global_capability_class_set sys_chroot; |
| allow vold storage_file:dir mounton; |
| |
| # For AppFuse. |
| allow vold fuse_device:chr_file rw_file_perms; |
| allow vold fuse:filesystem { relabelfrom }; |
| allow vold app_fusefs:filesystem { relabelfrom relabelto }; |
| allow vold app_fusefs:filesystem { mount unmount }; |
| allow vold app_fuse_file:dir rw_dir_perms; |
| allow vold app_fuse_file:file { read write open getattr append }; |
| |
| # MoveStorage.cpp executes cp and rm |
| allow vold toolbox_exec:file rx_file_perms; |
| |
| # Prepare profile dir for users. |
| allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms; |
| |
| # Raw writes to misc block device |
| allow vold misc_block_device:blk_file w_file_perms; |
| |
| # vold might need to search or mount /mnt/vendor/* |
| allow vold mnt_vendor_file:dir search; |
| |
| dontaudit vold self:global_capability_class_set sys_resource; |
| |
| # Allow ReadDefaultFstab(). |
| read_fstab(vold) |
| |
| # vold might need to search loopback apex files |
| allow vold vendor_apex_file:file r_file_perms; |
| |
| neverallow { |
| domain |
| -vold |
| -vold_prepare_subdirs |
| } vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl }; |
| |
| neverallow { |
| domain |
| -init |
| -vold |
| -vold_prepare_subdirs |
| } vold_data_file:dir *; |
| |
| neverallow { |
| domain |
| -init |
| -vold |
| } vold_metadata_file:dir *; |
| |
| neverallow { |
| domain |
| -kernel |
| -vold |
| -vold_prepare_subdirs |
| } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; |
| |
| neverallow { |
| domain |
| -init |
| -vold |
| -vold_prepare_subdirs |
| } vold_metadata_file:notdevfile_class_set ~{ relabelto getattr }; |
| |
| neverallow { |
| domain |
| -init |
| -kernel |
| -vold |
| -vold_prepare_subdirs |
| } { vold_data_file vold_metadata_file }:notdevfile_class_set *; |
| |
| neverallow { domain -vold -init } restorecon_prop:property_service set; |
| |
| neverallow vold { |
| domain |
| -hal_health_storage_server |
| -system_suspend_server |
| -hal_bootctl_server |
| -hwservicemanager |
| -iorapd_service |
| -keystore |
| -servicemanager |
| -system_server |
| userdebug_or_eng(`-su') |
| }:binder call; |
| |
| neverallow vold fsck_exec:file execute_no_trans; |
| neverallow { domain -init } vold:process { transition dyntransition }; |
| neverallow vold *:process ptrace; |
| neverallow vold *:rawip_socket *; |