Home | History | Annotate | Download | only in sepolicy 
      1 # volume manager
      2 type vold, domain;
      3 type vold_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(vold)
      6 
      7 typeattribute vold mlstrustedsubject;
      8 allow vold system_file:file x_file_perms;
      9 allow vold block_device:dir create_dir_perms;
     10 allow vold block_device:blk_file create_file_perms;
     11 allow vold device:dir write;
     12 allow vold devpts:chr_file rw_file_perms;
     13 allow vold rootfs:dir mounton;
     14 allow vold sdcard_type:dir mounton;
     15 allow vold sdcard_type:filesystem { mount remount unmount };
     16 allow vold sdcard_type:dir create_dir_perms;
     17 allow vold sdcard_type:file create_file_perms;
     18 allow vold tmpfs:filesystem { mount unmount };
     19 allow vold tmpfs:dir create_dir_perms;
     20 allow vold tmpfs:dir mounton;
     21 allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
     22 allow vold self:netlink_kobject_uevent_socket *;
     23 allow vold app_data_file:dir search;
     24 allow vold app_data_file:file rw_file_perms;
     25 allow vold loop_device:blk_file rw_file_perms;
     26 allow vold dm_device:chr_file rw_file_perms;
     27 # For vold Process::killProcessesWithOpenFiles function.
     28 allow vold domain:dir r_dir_perms;
     29 allow vold domain:{ file lnk_file } r_file_perms;
     30 allow vold domain:process { signal sigkill };
     31 allow vold self:capability { sys_ptrace kill };
     32 
     33 # For blkid
     34 allow vold shell_exec:file rx_file_perms;
     35 
     36 # XXX Label sysfs files with a specific type?
     37 allow vold sysfs:file rw_file_perms;
     38 
     39 write_klog(vold)
     40 
     41 #
     42 # Rules to support encrypted fs support.
     43 #
     44 
     45 # Set property.
     46 unix_socket_connect(vold, property, init)
     47 
     48 # Unmount and mount the fs.
     49 allow vold labeledfs:filesystem { mount unmount remount };
     50 
     51 # Access /efs/userdata_footer.
     52 # XXX Split into a separate type?
     53 allow vold efs_file:file rw_file_perms;
     54 
     55 # Create and mount on /data/tmp_mnt.
     56 allow vold system_data_file:dir { create rw_dir_perms mounton };
     57 allow vold system_data_file:file create_file_perms;
     58 
     59 # Set scheduling policy of kernel processes
     60 allow vold kernel:process setsched;
     61 
     62 # Property Service
     63 allow vold vold_prop:property_service set;
     64 allow vold powerctl_prop:property_service set;
     65 allow vold ctl_default_prop:property_service set;
     66 
     67 # ASEC
     68 allow vold asec_image_file:file create_file_perms;
     69 allow vold asec_image_file:dir rw_dir_perms;
     70 security_access_policy(vold)
     71 allow vold asec_apk_file:dir { rw_dir_perms setattr };
     72 allow vold asec_apk_file:file { r_file_perms setattr };
     73