1 # volume manager 2 type vold, domain, domain_deprecated; 3 type vold_exec, exec_type, file_type; 4 5 init_daemon_domain(vold) 6 7 # Switch to more restrictive domains when executing common tools 8 domain_auto_trans(vold, sgdisk_exec, sgdisk); 9 domain_auto_trans(vold, sdcardd_exec, sdcardd); 10 11 # Read already opened /cache files. 12 allow vold cache_file:dir r_dir_perms; 13 allow vold cache_file:file { getattr read }; 14 allow vold cache_file:lnk_file r_file_perms; 15 16 # Read access to pseudo filesystems. 17 r_dir_file(vold, proc) 18 r_dir_file(vold, proc_net) 19 r_dir_file(vold, sysfs) 20 r_dir_file(vold, rootfs) 21 22 # For a handful of probing tools, we choose an even more restrictive 23 # domain when working with untrusted block devices 24 domain_trans(vold, shell_exec, blkid); 25 domain_trans(vold, shell_exec, blkid_untrusted); 26 domain_trans(vold, fsck_exec, fsck); 27 domain_trans(vold, fsck_exec, fsck_untrusted); 28 29 # Allow us to jump into execution domains of above tools 30 allow vold self:process setexec; 31 32 # For sgdisk launched through popen() 33 allow vold shell_exec:file rx_file_perms; 34 35 typeattribute vold mlstrustedsubject; 36 allow vold self:process setfscreate; 37 allow vold system_file:file x_file_perms; 38 allow vold block_device:dir create_dir_perms; 39 allow vold device:dir write; 40 allow vold devpts:chr_file rw_file_perms; 41 allow vold rootfs:dir mounton; 42 allow vold sdcard_type:dir mounton; # TODO: deprecated in M 43 allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M 44 allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M 45 allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M 46 47 # Manage locations where storage is mounted 48 allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms; 49 allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms; 50 51 # Access to storage that backs emulated FUSE daemons for migration optimization 52 allow vold media_rw_data_file:dir create_dir_perms; 53 allow vold media_rw_data_file:file create_file_perms; 54 55 # Newly created storage dirs are always treated as mount stubs to prevent us 56 # from accidentally writing when the mount point isn't present. 57 type_transition vold storage_file:dir storage_stub_file; 58 type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file; 59 60 # Allow mounting of storage devices 61 allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; 62 allow vold sdcard_type:filesystem { mount unmount remount }; 63 64 # Manage per-user primary symlinks 65 allow vold mnt_user_file:dir create_dir_perms; 66 allow vold mnt_user_file:lnk_file create_file_perms; 67 68 # Allow to create and mount expanded storage 69 allow vold mnt_expand_file:dir { create_dir_perms mounton }; 70 allow vold apk_data_file:dir { create getattr setattr }; 71 allow vold shell_data_file:dir { create getattr setattr }; 72 73 allow vold tmpfs:filesystem { mount unmount }; 74 allow vold tmpfs:dir create_dir_perms; 75 allow vold tmpfs:dir mounton; 76 allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid }; 77 allow vold self:netlink_kobject_uevent_socket create_socket_perms; 78 allow vold app_data_file:dir search; 79 allow vold app_data_file:file rw_file_perms; 80 allow vold loop_device:blk_file create_file_perms; 81 allow vold vold_device:blk_file create_file_perms; 82 allow vold dm_device:chr_file rw_file_perms; 83 allow vold dm_device:blk_file rw_file_perms; 84 # For vold Process::killProcessesWithOpenFiles function. 85 allow vold domain:dir r_dir_perms; 86 allow vold domain:{ file lnk_file } r_file_perms; 87 allow vold domain:process { signal sigkill }; 88 allow vold self:capability { sys_ptrace kill }; 89 90 # XXX Label sysfs files with a specific type? 91 allow vold sysfs:file rw_file_perms; 92 93 # TODO: added to match above sysfs rule. Remove me? 94 allow vold sysfs_usb:file w_file_perms; 95 96 allow vold kmsg_device:chr_file rw_file_perms; 97 98 # Run fsck in the fsck domain. 99 allow vold fsck_exec:file { r_file_perms execute }; 100 101 # Log fsck results 102 allow vold fscklogs:dir rw_dir_perms; 103 allow vold fscklogs:file create_file_perms; 104 105 # 106 # Rules to support encrypted fs support. 107 # 108 109 # Unmount and mount the fs. 110 allow vold labeledfs:filesystem { mount unmount remount }; 111 112 # Access /efs/userdata_footer. 113 # XXX Split into a separate type? 114 allow vold efs_file:file rw_file_perms; 115 116 # Create and mount on /data/tmp_mnt and management of expansion mounts 117 allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir }; 118 119 # Set scheduling policy of kernel processes 120 allow vold kernel:process setsched; 121 122 # Property Service 123 set_prop(vold, vold_prop) 124 set_prop(vold, powerctl_prop) 125 set_prop(vold, ctl_fuse_prop) 126 set_prop(vold, restorecon_prop) 127 128 # ASEC 129 allow vold asec_image_file:file create_file_perms; 130 allow vold asec_image_file:dir rw_dir_perms; 131 security_access_policy(vold) 132 allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto }; 133 allow vold asec_public_file:dir { relabelto setattr }; 134 allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; 135 allow vold asec_public_file:file { relabelto setattr }; 136 # restorecon files in asec containers created on 4.2 or earlier. 137 allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; 138 allow vold unlabeled:file { r_file_perms setattr relabelfrom }; 139 140 # Handle wake locks (used for device encryption) 141 wakelock_use(vold) 142 143 # talk to batteryservice 144 binder_use(vold) 145 binder_call(vold, healthd) 146 147 # talk to keymaster 148 allow vold tee_device:chr_file rw_file_perms; 149 150 # Access userdata block device. 151 allow vold userdata_block_device:blk_file rw_file_perms; 152 153 # Access metadata block device used for encryption meta-data. 154 allow vold metadata_block_device:blk_file rw_file_perms; 155 156 # Allow vold to manipulate /data/unencrypted 157 allow vold unencrypted_data_file:{ file } create_file_perms; 158 allow vold unencrypted_data_file:dir create_dir_perms; 159 160 # Write to /proc/sys/vm/drop_caches 161 allow vold proc_drop_caches:file w_file_perms; 162 163 # Give vold a place where only vold can store files; everyone else is off limits 164 allow vold vold_data_file:dir create_dir_perms; 165 allow vold vold_data_file:file create_file_perms; 166 167 # linux keyring configuration 168 allow vold init:key { write search setattr }; 169 allow vold vold:key { write search setattr }; 170 171 # vold temporarily changes its priority when running benchmarks 172 allow vold self:capability sys_nice; 173 174 # vold needs to chroot into app namespaces to remount when runtime permissions change 175 allow vold self:capability sys_chroot; 176 allow vold storage_file:dir mounton; 177 178 # For AppFuse. 179 allow vold fuse_device:chr_file rw_file_perms; 180 allow vold fuse:filesystem { relabelfrom }; 181 allow vold app_fusefs:filesystem { relabelfrom relabelto }; 182 allow vold app_fusefs:filesystem { mount unmount }; 183 184 # coldboot of /sys/block 185 allow vold sysfs_zram:dir r_dir_perms; 186 allow vold sysfs_zram_uevent:file rw_file_perms; 187 188 # MoveTask.cpp executes cp and rm 189 allow vold toolbox_exec:file rx_file_perms; 190 191 # Prepare profile dir for users. 192 allow vold user_profile_data_file:dir create_dir_perms; 193 allow vold user_profile_foreign_dex_data_file:dir { getattr setattr }; 194 195 # Raw writes to misc block device 196 allow vold misc_block_device:blk_file w_file_perms; 197 198 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; 199 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; 200 neverallow { domain -vold -init } vold_data_file:dir *; 201 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *; 202 neverallow { domain -vold -init } restorecon_prop:property_service set; 203 204 neverallow vold fsck_exec:file execute_no_trans; 205