Home | History | Annotate | Download | only in sepolicy 
      1 # volume manager
      2 type vold, domain, domain_deprecated;
      3 type vold_exec, exec_type, file_type;
      4 
      5 init_daemon_domain(vold)
      6 
      7 # Switch to more restrictive domains when executing common tools
      8 domain_auto_trans(vold, sgdisk_exec, sgdisk);
      9 domain_auto_trans(vold, sdcardd_exec, sdcardd);
     10 
     11 # Read already opened /cache files.
     12 allow vold cache_file:dir r_dir_perms;
     13 allow vold cache_file:file { getattr read };
     14 allow vold cache_file:lnk_file r_file_perms;
     15 
     16 # Read access to pseudo filesystems.
     17 r_dir_file(vold, proc)
     18 r_dir_file(vold, proc_net)
     19 r_dir_file(vold, sysfs)
     20 r_dir_file(vold, rootfs)
     21 
     22 # For a handful of probing tools, we choose an even more restrictive
     23 # domain when working with untrusted block devices
     24 domain_trans(vold, shell_exec, blkid);
     25 domain_trans(vold, shell_exec, blkid_untrusted);
     26 domain_trans(vold, fsck_exec, fsck);
     27 domain_trans(vold, fsck_exec, fsck_untrusted);
     28 
     29 # Allow us to jump into execution domains of above tools
     30 allow vold self:process setexec;
     31 
     32 # For sgdisk launched through popen()
     33 allow vold shell_exec:file rx_file_perms;
     34 
     35 typeattribute vold mlstrustedsubject;
     36 allow vold self:process setfscreate;
     37 allow vold system_file:file x_file_perms;
     38 allow vold block_device:dir create_dir_perms;
     39 allow vold device:dir write;
     40 allow vold devpts:chr_file rw_file_perms;
     41 allow vold rootfs:dir mounton;
     42 allow vold sdcard_type:dir mounton; # TODO: deprecated in M
     43 allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
     44 allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
     45 allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
     46 
     47 # Manage locations where storage is mounted
     48 allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
     49 allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
     50 
     51 # Access to storage that backs emulated FUSE daemons for migration optimization
     52 allow vold media_rw_data_file:dir create_dir_perms;
     53 allow vold media_rw_data_file:file create_file_perms;
     54 
     55 # Newly created storage dirs are always treated as mount stubs to prevent us
     56 # from accidentally writing when the mount point isn't present.
     57 type_transition vold storage_file:dir storage_stub_file;
     58 type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
     59 
     60 # Allow mounting of storage devices
     61 allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
     62 allow vold sdcard_type:filesystem { mount unmount remount };
     63 
     64 # Manage per-user primary symlinks
     65 allow vold mnt_user_file:dir create_dir_perms;
     66 allow vold mnt_user_file:lnk_file create_file_perms;
     67 
     68 # Allow to create and mount expanded storage
     69 allow vold mnt_expand_file:dir { create_dir_perms mounton };
     70 allow vold apk_data_file:dir { create getattr setattr };
     71 allow vold shell_data_file:dir { create getattr setattr };
     72 
     73 allow vold tmpfs:filesystem { mount unmount };
     74 allow vold tmpfs:dir create_dir_perms;
     75 allow vold tmpfs:dir mounton;
     76 allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
     77 allow vold self:netlink_kobject_uevent_socket create_socket_perms;
     78 allow vold app_data_file:dir search;
     79 allow vold app_data_file:file rw_file_perms;
     80 allow vold loop_device:blk_file create_file_perms;
     81 allow vold vold_device:blk_file create_file_perms;
     82 allow vold dm_device:chr_file rw_file_perms;
     83 allow vold dm_device:blk_file rw_file_perms;
     84 # For vold Process::killProcessesWithOpenFiles function.
     85 allow vold domain:dir r_dir_perms;
     86 allow vold domain:{ file lnk_file } r_file_perms;
     87 allow vold domain:process { signal sigkill };
     88 allow vold self:capability { sys_ptrace kill };
     89 
     90 # XXX Label sysfs files with a specific type?
     91 allow vold sysfs:file rw_file_perms;
     92 
     93 # TODO: added to match above sysfs rule. Remove me?
     94 allow vold sysfs_usb:file w_file_perms;
     95 
     96 allow vold kmsg_device:chr_file rw_file_perms;
     97 
     98 # Run fsck in the fsck domain.
     99 allow vold fsck_exec:file { r_file_perms execute };
    100 
    101 # Log fsck results
    102 allow vold fscklogs:dir rw_dir_perms;
    103 allow vold fscklogs:file create_file_perms;
    104 
    105 #
    106 # Rules to support encrypted fs support.
    107 #
    108 
    109 # Unmount and mount the fs.
    110 allow vold labeledfs:filesystem { mount unmount remount };
    111 
    112 # Access /efs/userdata_footer.
    113 # XXX Split into a separate type?
    114 allow vold efs_file:file rw_file_perms;
    115 
    116 # Create and mount on /data/tmp_mnt and management of expansion mounts
    117 allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
    118 
    119 # Set scheduling policy of kernel processes
    120 allow vold kernel:process setsched;
    121 
    122 # Property Service
    123 set_prop(vold, vold_prop)
    124 set_prop(vold, powerctl_prop)
    125 set_prop(vold, ctl_fuse_prop)
    126 set_prop(vold, restorecon_prop)
    127 
    128 # ASEC
    129 allow vold asec_image_file:file create_file_perms;
    130 allow vold asec_image_file:dir rw_dir_perms;
    131 security_access_policy(vold)
    132 allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
    133 allow vold asec_public_file:dir { relabelto setattr };
    134 allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
    135 allow vold asec_public_file:file { relabelto setattr };
    136 # restorecon files in asec containers created on 4.2 or earlier.
    137 allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
    138 allow vold unlabeled:file { r_file_perms setattr relabelfrom };
    139 
    140 # Handle wake locks (used for device encryption)
    141 wakelock_use(vold)
    142 
    143 # talk to batteryservice
    144 binder_use(vold)
    145 binder_call(vold, healthd)
    146 
    147 # talk to keymaster
    148 allow vold tee_device:chr_file rw_file_perms;
    149 
    150 # Access userdata block device.
    151 allow vold userdata_block_device:blk_file rw_file_perms;
    152 
    153 # Access metadata block device used for encryption meta-data.
    154 allow vold metadata_block_device:blk_file rw_file_perms;
    155 
    156 # Allow vold to manipulate /data/unencrypted
    157 allow vold unencrypted_data_file:{ file } create_file_perms;
    158 allow vold unencrypted_data_file:dir create_dir_perms;
    159 
    160 # Write to /proc/sys/vm/drop_caches
    161 allow vold proc_drop_caches:file w_file_perms;
    162 
    163 # Give vold a place where only vold can store files; everyone else is off limits
    164 allow vold vold_data_file:dir create_dir_perms;
    165 allow vold vold_data_file:file create_file_perms;
    166 
    167 # linux keyring configuration
    168 allow vold init:key { write search setattr };
    169 allow vold vold:key { write search setattr };
    170 
    171 # vold temporarily changes its priority when running benchmarks
    172 allow vold self:capability sys_nice;
    173 
    174 # vold needs to chroot into app namespaces to remount when runtime permissions change
    175 allow vold self:capability sys_chroot;
    176 allow vold storage_file:dir mounton;
    177 
    178 # For AppFuse.
    179 allow vold fuse_device:chr_file rw_file_perms;
    180 allow vold fuse:filesystem { relabelfrom };
    181 allow vold app_fusefs:filesystem { relabelfrom relabelto };
    182 allow vold app_fusefs:filesystem { mount unmount };
    183 
    184 # coldboot of /sys/block
    185 allow vold sysfs_zram:dir r_dir_perms;
    186 allow vold sysfs_zram_uevent:file rw_file_perms;
    187 
    188 # MoveTask.cpp executes cp and rm
    189 allow vold toolbox_exec:file rx_file_perms;
    190 
    191 # Prepare profile dir for users.
    192 allow vold user_profile_data_file:dir create_dir_perms;
    193 allow vold user_profile_foreign_dex_data_file:dir { getattr setattr };
    194 
    195 # Raw writes to misc block device
    196 allow vold misc_block_device:blk_file w_file_perms;
    197 
    198 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
    199 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
    200 neverallow { domain -vold -init } vold_data_file:dir *;
    201 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
    202 neverallow { domain -vold -init } restorecon_prop:property_service set;
    203 
    204 neverallow vold fsck_exec:file execute_no_trans;
    205