Home | History | Annotate | Download | only in sepolicy 
      1 # volume manager
      2 type vold, domain;
      3 type vold_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(vold)
      6 
      7 typeattribute vold mlstrustedsubject;
      8 allow vold system_file:file x_file_perms;
      9 allow vold block_device:dir create_dir_perms;
     10 allow vold block_device:blk_file create_file_perms;
     11 allow vold device:dir write;
     12 allow vold devpts:chr_file rw_file_perms;
     13 allow vold rootfs:dir mounton;
     14 allow vold sdcard_type:dir mounton;
     15 allow vold sdcard_type:filesystem { mount remount unmount };
     16 allow vold sdcard_type:dir create_dir_perms;
     17 allow vold sdcard_type:file create_file_perms;
     18 allow vold tmpfs:filesystem { mount unmount };
     19 allow vold tmpfs:dir create_dir_perms;
     20 allow vold tmpfs:dir mounton;
     21 allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
     22 allow vold self:netlink_kobject_uevent_socket create_socket_perms;
     23 allow vold app_data_file:dir search;
     24 allow vold app_data_file:file rw_file_perms;
     25 allow vold loop_device:blk_file rw_file_perms;
     26 allow vold dm_device:chr_file rw_file_perms;
     27 # For vold Process::killProcessesWithOpenFiles function.
     28 allow vold domain:dir r_dir_perms;
     29 allow vold domain:{ file lnk_file } r_file_perms;
     30 allow vold domain:process { signal sigkill };
     31 allow vold self:capability { sys_ptrace kill };
     32 
     33 # For blkid
     34 allow vold shell_exec:file rx_file_perms;
     35 
     36 # XXX Label sysfs files with a specific type?
     37 allow vold sysfs:file rw_file_perms;
     38 
     39 write_klog(vold)
     40 
     41 # Log fsck results
     42 allow vold fscklogs:dir rw_dir_perms;
     43 allow vold fscklogs:file create_file_perms;
     44 
     45 #
     46 # Rules to support encrypted fs support.
     47 #
     48 
     49 # Set property.
     50 unix_socket_connect(vold, property, init)
     51 
     52 # Unmount and mount the fs.
     53 allow vold labeledfs:filesystem { mount unmount remount };
     54 
     55 # Access /efs/userdata_footer.
     56 # XXX Split into a separate type?
     57 allow vold efs_file:file rw_file_perms;
     58 
     59 # Create and mount on /data/tmp_mnt.
     60 allow vold system_data_file:dir { create rw_dir_perms mounton };
     61 
     62 # Set scheduling policy of kernel processes
     63 allow vold kernel:process setsched;
     64 
     65 # Property Service
     66 allow vold vold_prop:property_service set;
     67 allow vold powerctl_prop:property_service set;
     68 allow vold ctl_fuse_prop:property_service set;
     69 
     70 # ASEC
     71 allow vold asec_image_file:file create_file_perms;
     72 allow vold asec_image_file:dir rw_dir_perms;
     73 security_access_policy(vold)
     74 allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto };
     75 allow vold asec_public_file:dir { relabelto setattr };
     76 allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
     77 allow vold asec_public_file:file { relabelto setattr };
     78 # restorecon files in asec containers created on 4.2 or earlier.
     79 allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
     80 allow vold unlabeled:file { r_file_perms setattr relabelfrom };
     81 
     82 # Handle wake locks (used for device encryption)
     83 wakelock_use(vold)
     84 
     85 # talk to batteryservice
     86 binder_use(vold)
     87 binder_call(vold, healthd)
     88 
     89 # talk to keymaster
     90 allow vold tee_device:chr_file rw_file_perms;
     91 
     92