1 # volume manager 2 type vold, domain; 3 type vold_exec, exec_type, file_type; 4 5 # Read already opened /cache files. 6 allow vold cache_file:dir r_dir_perms; 7 allow vold cache_file:file { getattr read }; 8 allow vold cache_file:lnk_file r_file_perms; 9 10 # Read access to pseudo filesystems. 11 r_dir_file(vold, proc_net) 12 r_dir_file(vold, sysfs_type) 13 # XXX Label sysfs files with a specific type? 14 allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot. 15 allow vold sysfs_dm:file w_file_perms; 16 allow vold sysfs_usb:file w_file_perms; 17 allow vold sysfs_zram_uevent:file w_file_perms; 18 19 r_dir_file(vold, rootfs) 20 r_dir_file(vold, metadata_file) 21 allow vold { 22 proc # b/67049235 processes /proc/<pid>/* files are mislabeled. 23 proc_cmdline 24 proc_drop_caches 25 proc_filesystems 26 proc_meminfo 27 proc_mounts 28 }:file r_file_perms; 29 30 #Get file contexts 31 allow vold file_contexts_file:file r_file_perms; 32 33 # Allow us to jump into execution domains of above tools 34 allow vold self:process setexec; 35 36 # For sgdisk launched through popen() 37 allow vold shell_exec:file rx_file_perms; 38 39 # For formatting adoptable storage devices 40 allow vold e2fs_exec:file rx_file_perms; 41 42 typeattribute vold mlstrustedsubject; 43 allow vold self:process setfscreate; 44 allow vold system_file:file x_file_perms; 45 not_full_treble(`allow vold vendor_file:file x_file_perms;') 46 allow vold block_device:dir create_dir_perms; 47 allow vold device:dir write; 48 allow vold devpts:chr_file rw_file_perms; 49 allow vold rootfs:dir mounton; 50 allow vold sdcard_type:dir mounton; # TODO: deprecated in M 51 allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M 52 allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M 53 allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M 54 55 # Manage locations where storage is mounted 56 allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms; 57 allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms; 58 59 # Access to storage that backs emulated FUSE daemons for migration optimization 60 allow vold media_rw_data_file:dir create_dir_perms; 61 allow vold media_rw_data_file:file create_file_perms; 62 63 # Allow mounting of storage devices 64 allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; 65 66 # Manage per-user primary symlinks 67 allow vold mnt_user_file:dir create_dir_perms; 68 allow vold mnt_user_file:lnk_file create_file_perms; 69 70 # Allow to create and mount expanded storage 71 allow vold mnt_expand_file:dir { create_dir_perms mounton }; 72 allow vold apk_data_file:dir { create getattr setattr }; 73 allow vold shell_data_file:dir { create getattr setattr }; 74 75 allow vold tmpfs:filesystem { mount unmount }; 76 allow vold tmpfs:dir create_dir_perms; 77 allow vold tmpfs:dir mounton; 78 allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid }; 79 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 80 allow vold app_data_file:dir search; 81 allow vold app_data_file:file rw_file_perms; 82 allow vold loop_control_device:chr_file rw_file_perms; 83 allow vold loop_device:blk_file { create setattr unlink rw_file_perms }; 84 allow vold vold_device:blk_file { create setattr unlink rw_file_perms }; 85 allow vold dm_device:chr_file rw_file_perms; 86 allow vold dm_device:blk_file rw_file_perms; 87 # For vold Process::killProcessesWithOpenFiles function. 88 allow vold domain:dir r_dir_perms; 89 allow vold domain:{ file lnk_file } r_file_perms; 90 allow vold domain:process { signal sigkill }; 91 allow vold self:global_capability_class_set { sys_ptrace kill }; 92 93 allow vold kmsg_device:chr_file rw_file_perms; 94 95 # Run fsck in the fsck domain. 96 allow vold fsck_exec:file { r_file_perms execute }; 97 98 # Log fsck results 99 allow vold fscklogs:dir rw_dir_perms; 100 allow vold fscklogs:file create_file_perms; 101 102 # 103 # Rules to support encrypted fs support. 104 # 105 106 # Unmount and mount the fs. 107 allow vold labeledfs:filesystem { mount unmount }; 108 109 # Access /efs/userdata_footer. 110 # XXX Split into a separate type? 111 allow vold efs_file:file rw_file_perms; 112 113 # Create and mount on /data/tmp_mnt and management of expansion mounts 114 allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir }; 115 allow vold system_data_file:lnk_file getattr; 116 117 # Vold create users in /data/vendor_{ce,de}/[0-9]+ 118 allow vold vendor_data_file:dir create_dir_perms; 119 120 # for secdiscard 121 allow vold system_data_file:file read; 122 123 # Set scheduling policy of kernel processes 124 allow vold kernel:process setsched; 125 126 # Property Service 127 set_prop(vold, vold_prop) 128 set_prop(vold, exported_vold_prop) 129 set_prop(vold, exported2_vold_prop) 130 set_prop(vold, powerctl_prop) 131 set_prop(vold, ctl_fuse_prop) 132 set_prop(vold, restorecon_prop) 133 134 # ASEC 135 allow vold asec_image_file:file create_file_perms; 136 allow vold asec_image_file:dir rw_dir_perms; 137 allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto }; 138 allow vold asec_public_file:dir { relabelto setattr }; 139 allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; 140 allow vold asec_public_file:file { relabelto setattr }; 141 # restorecon files in asec containers created on 4.2 or earlier. 142 allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; 143 allow vold unlabeled:file { r_file_perms setattr relabelfrom }; 144 145 # Handle wake locks (used for device encryption) 146 wakelock_use(vold) 147 148 # Allow vold to publish a binder service and make binder calls. 149 binder_use(vold) 150 add_service(vold, vold_service) 151 152 # Allow vold to call into the system server so it can check permissions. 153 binder_call(vold, system_server) 154 allow vold permission_service:service_manager find; 155 156 # talk to batteryservice 157 binder_call(vold, healthd) 158 159 # talk to keymaster 160 hal_client_domain(vold, hal_keymaster) 161 162 # Access userdata block device. 163 allow vold userdata_block_device:blk_file rw_file_perms; 164 165 # Access metadata block device used for encryption meta-data. 166 allow vold metadata_block_device:blk_file rw_file_perms; 167 168 # Allow vold to manipulate /data/unencrypted 169 allow vold unencrypted_data_file:{ file } create_file_perms; 170 allow vold unencrypted_data_file:dir create_dir_perms; 171 172 # Write to /proc/sys/vm/drop_caches 173 allow vold proc_drop_caches:file w_file_perms; 174 175 # Give vold a place where only vold can store files; everyone else is off limits 176 allow vold vold_data_file:dir create_dir_perms; 177 allow vold vold_data_file:file create_file_perms; 178 179 # And a similar place in the metadata partition 180 allow vold vold_metadata_file:dir create_dir_perms; 181 allow vold vold_metadata_file:file create_file_perms; 182 183 # linux keyring configuration 184 allow vold init:key { write search setattr }; 185 allow vold vold:key { write search setattr }; 186 187 # vold temporarily changes its priority when running benchmarks 188 allow vold self:global_capability_class_set sys_nice; 189 190 # vold needs to chroot into app namespaces to remount when runtime permissions change 191 allow vold self:global_capability_class_set sys_chroot; 192 allow vold storage_file:dir mounton; 193 194 # For AppFuse. 195 allow vold fuse_device:chr_file rw_file_perms; 196 allow vold fuse:filesystem { relabelfrom }; 197 allow vold app_fusefs:filesystem { relabelfrom relabelto }; 198 allow vold app_fusefs:filesystem { mount unmount }; 199 200 # MoveTask.cpp executes cp and rm 201 allow vold toolbox_exec:file rx_file_perms; 202 203 # Prepare profile dir for users. 204 allow vold user_profile_data_file:dir create_dir_perms; 205 206 # Raw writes to misc block device 207 allow vold misc_block_device:blk_file w_file_perms; 208 209 neverallow { 210 domain 211 -vold 212 -vold_prepare_subdirs 213 } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl }; 214 215 neverallow { 216 domain 217 -init 218 -vold 219 -vold_prepare_subdirs 220 } vold_data_file:dir *; 221 222 neverallow { 223 domain 224 -init 225 -vendor_init 226 -vold 227 } vold_metadata_file:dir *; 228 229 neverallow { 230 domain 231 -kernel 232 -vold 233 -vold_prepare_subdirs 234 } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; 235 236 neverallow { 237 domain 238 -init 239 -vold 240 -vold_prepare_subdirs 241 } vold_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 242 243 neverallow { 244 domain 245 -init 246 -kernel 247 -vendor_init 248 -vold 249 -vold_prepare_subdirs 250 } { vold_data_file vold_metadata_file }:notdevfile_class_set *; 251 252 neverallow { domain -vold -init } restorecon_prop:property_service set; 253 254 # Only system_server and vdc can interact with vold over binder 255 neverallow { domain -system_server -vdc -vold } vold_service:service_manager find; 256 neverallow vold { 257 domain 258 -hal_keymaster_server 259 -healthd 260 -hwservicemanager 261 -servicemanager 262 -system_server 263 userdebug_or_eng(`-su') 264 }:binder call; 265 266 neverallow vold fsck_exec:file execute_no_trans; 267 neverallow { domain -init } vold:process { transition dyntransition }; 268 neverallow vold *:process ptrace; 269 neverallow vold *:rawip_socket *; 270
