Gitiles
Code Review Sign In
review.gerrithub.io / CandySiX-Testing / external_sepolicy / 442c3ebd4c05bed217e756586ac9fcb4c6283d40 / . / vold.te
blob: 7ddf2b7b1e74afe05765a7325385b841c9bc5e03 [file] [log] [blame]
Stephen Smalley2dd4e512012-01-04 12:33:27 -0500[diff] [blame]1# volume manager
2type vold, domain;
3type vold_exec, exec_type, file_type;
4
5init_daemon_domain(vold)
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]6
Jeff Sharkeyf063f462015-03-27 11:25:39 -0700[diff] [blame]7# Switch to more restrictive domains when executing common tools
8domain_auto_trans(vold, sgdisk_exec, sgdisk);
Jeff Sharkeyf063f462015-03-27 11:25:39 -0700[diff] [blame]9domain_auto_trans(vold, sdcardd_exec, sdcardd);
Jeff Sharkey84e1c612015-04-01 10:15:51 -0700[diff] [blame]10
11# For a handful of probing tools, we choose an even more restrictive
12# domain when working with untrusted block devices
13domain_trans(vold, shell_exec, blkid);
14domain_trans(vold, shell_exec, blkid_untrusted);
15domain_trans(vold, fsck_exec, fsck);
16domain_trans(vold, fsck_exec, fsck_untrusted);
17
18# Allow us to jump into execution domains of above tools
19allow vold self:process setexec;
20
21# For sgdisk launched through popen()
22allow vold shell_exec:file rx_file_perms;
Jeff Sharkeyf063f462015-03-27 11:25:39 -0700[diff] [blame]23
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]24typeattribute vold mlstrustedsubject;
Stephen Smalley273d7ea2014-09-30 11:37:51 -0400[diff] [blame]25allow vold self:process setfscreate;
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]26allow vold system_file:file x_file_perms;
27allow vold block_device:dir create_dir_perms;
28allow vold block_device:blk_file create_file_perms;
Stephen Smalley273d7ea2014-09-30 11:37:51 -0400[diff] [blame]29auditallow vold block_device:blk_file create_file_perms;
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]30allow vold device:dir write;
31allow vold devpts:chr_file rw_file_perms;
32allow vold rootfs:dir mounton;
Jeff Sharkeyf063f462015-03-27 11:25:39 -0700[diff] [blame]33allow vold sdcard_type:dir mounton; # TODO: deprecated in M
34allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
35allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
36allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
Ricardo Cerqueira1d7bc1d2015-06-16 02:17:56 +0100[diff] [blame]37ifelse(shipping_build, `true', ,
38 allow vold sdcard_posix:filesystem { relabelto relabelfrom };
39)
Michael Bestas149ccab2014-12-13 20:51:20 +0200[diff] [blame]40allow vold labeledfs:filesystem { relabelfrom };
Jeff Sharkeyf063f462015-03-27 11:25:39 -0700[diff] [blame]41
42# Manage locations where storage is mounted
43allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
44allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
45
Jeff Sharkey90c64542015-04-24 15:19:22 -0700[diff] [blame]46# Access to storage that backs emulated FUSE daemons for migration optimization
47allow vold media_rw_data_file:dir create_dir_perms;
48allow vold media_rw_data_file:file create_file_perms;
49
Jeff Sharkeyf063f462015-03-27 11:25:39 -0700[diff] [blame]50# Newly created storage dirs are always treated as mount stubs to prevent us
51# from accidentally writing when the mount point isn't present.
52type_transition vold storage_file:dir storage_stub_file;
53type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
54
55# Allow mounting of storage devices
56allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
57allow vold sdcard_type:filesystem { mount unmount remount };
58
59# Manage per-user primary symlinks
60allow vold mnt_user_file:dir create_dir_perms;
61allow vold mnt_user_file:lnk_file create_file_perms;
62
Jeff Sharkey73d9c2a2015-04-06 16:21:54 -0700[diff] [blame]63# Allow to create and mount expanded storage
64allow vold mnt_expand_file:dir { create_dir_perms mounton };
65allow vold apk_data_file:dir { create getattr setattr };
Jeff Sharkey73d9c2a2015-04-06 16:21:54 -0700[diff] [blame]66allow vold shell_data_file:dir { create getattr setattr };
67
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]68allow vold tmpfs:filesystem { mount unmount };
69allow vold tmpfs:dir create_dir_perms;
70allow vold tmpfs:dir mounton;
Alex Klyubinb25fe912013-07-08 15:48:36 -0700[diff] [blame]71allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
Stephen Smalley16011322014-02-24 15:06:11 -0500[diff] [blame]72allow vold self:netlink_kobject_uevent_socket create_socket_perms;
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]73allow vold app_data_file:dir search;
74allow vold app_data_file:file rw_file_perms;
Stephen Smalley273d7ea2014-09-30 11:37:51 -0400[diff] [blame]75allow vold loop_device:blk_file create_file_perms;
76allow vold vold_device:blk_file create_file_perms;
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]77allow vold dm_device:chr_file rw_file_perms;
Stephen Smalley273d7ea2014-09-30 11:37:51 -0400[diff] [blame]78allow vold dm_device:blk_file rw_file_perms;
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]79# For vold Process::killProcessesWithOpenFiles function.
80allow vold domain:dir r_dir_perms;
81allow vold domain:{ file lnk_file } r_file_perms;
82allow vold domain:process { signal sigkill };
Geremy Condra7eb786b2013-09-11 10:16:57 -0700[diff] [blame]83allow vold self:capability { sys_ptrace kill };
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]84
85# XXX Label sysfs files with a specific type?
86allow vold sysfs:file rw_file_perms;
87
Nick Kraleviche2651972015-06-06 07:42:37 -0700[diff] [blame]88allow vold kmsg_device:chr_file rw_file_perms;
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]89
Stephen Smalleycedee692014-09-30 13:09:55 -0400[diff] [blame]90# Run fsck.
91allow vold fsck_exec:file rx_file_perms;
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]92
Nick Kralevich3753c812013-12-19 15:23:43 -0800[diff] [blame]93# Log fsck results
94allow vold fscklogs:dir rw_dir_perms;
95allow vold fscklogs:file create_file_perms;
96
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]97#
98# Rules to support encrypted fs support.
99#
100
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]101# Unmount and mount the fs.
102allow vold labeledfs:filesystem { mount unmount remount };
103
104# Access /efs/userdata_footer.
105# XXX Split into a separate type?
106allow vold efs_file:file rw_file_perms;
107
Jeff Sharkey73d9c2a2015-04-06 16:21:54 -0700[diff] [blame]108# Create and mount on /data/tmp_mnt and management of expansion mounts
109allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]110
111# Set scheduling policy of kernel processes
112allow vold kernel:process setsched;
113
114# Property Service
William Roberts2f5a6a92015-05-04 18:22:45 -0700[diff] [blame]115set_prop(vold, vold_prop)
116set_prop(vold, powerctl_prop)
117set_prop(vold, ctl_fuse_prop)
Jeff Sharkey7617cd42015-06-09 11:01:04 -0700[diff] [blame]118set_prop(vold, restorecon_prop)
Nick Kralevich7914a472013-06-28 20:15:37 -0700[diff] [blame]119
120# ASEC
121allow vold asec_image_file:file create_file_perms;
122allow vold asec_image_file:dir rw_dir_perms;
123security_access_policy(vold)
Jeff Sharkeyf063f462015-03-27 11:25:39 -0700[diff] [blame]124allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
Robert Craig48b18832014-02-04 11:36:41 -0500[diff] [blame]125allow vold asec_public_file:dir { relabelto setattr };
Stephen Smalleyf85c1fc2014-05-27 10:56:24 -0400[diff] [blame]126allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
Robert Craig48b18832014-02-04 11:36:41 -0500[diff] [blame]127allow vold asec_public_file:file { relabelto setattr };
Stephen Smalleyf85c1fc2014-05-27 10:56:24 -0400[diff] [blame]128# restorecon files in asec containers created on 4.2 or earlier.
129allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
130allow vold unlabeled:file { r_file_perms setattr relabelfrom };
Nick Kralevich3753c812013-12-19 15:23:43 -0800[diff] [blame]131
132# Handle wake locks (used for device encryption)
Nick Kralevich8599e342014-05-23 13:33:32 -0700[diff] [blame]133wakelock_use(vold)
Paul Lawrence01ba6832014-03-19 14:41:00 -0700[diff] [blame]134
135# talk to batteryservice
136binder_use(vold)
137binder_call(vold, healthd)
Paul Lawrenced7567112014-04-14 12:05:43 -0700[diff] [blame]138
139# talk to keymaster
140allow vold tee_device:chr_file rw_file_perms;
141
Stephen Smalley887d7af2014-09-11 08:50:04 -0400[diff] [blame]142# Access userdata block device.
143allow vold userdata_block_device:blk_file rw_file_perms;
144auditallow vold userdata_block_device:blk_file rw_file_perms;
145
Ravi Kumar Siddojigari077da1c2014-11-19 17:32:24 +0530[diff] [blame]146# For UMS tuning
147allow vold proc_dirty_ratio:file rw_file_perms;
148
Stephen Smalley273d7ea2014-09-30 11:37:51 -0400[diff] [blame]149# Access metadata block device used for encryption meta-data.
150allow vold metadata_block_device:blk_file rw_file_perms;
Paul Lawrence38af1da2015-03-11 15:44:14 -0700[diff] [blame]151
Paul Lawrencee2c0c9d2015-04-28 22:06:29 +0000[diff] [blame]152# Allow vold to manipulate /data/unencrypted
153allow vold unencrypted_data_file:{ file } create_file_perms;
Paul Lawrence38af1da2015-03-11 15:44:14 -0700[diff] [blame]154allow vold unencrypted_data_file:dir create_dir_perms;
Jeff Sharkey4423ecd2015-03-31 15:03:13 -0700[diff] [blame]155
Jeff Sharkeyc9605962015-05-14 20:55:31 -0700[diff] [blame]156# Write to /proc/sys/vm/drop_caches
157allow vold proc_drop_caches:file w_file_perms;
158
Jeff Sharkey4423ecd2015-03-31 15:03:13 -0700[diff] [blame]159# Give vold a place where only vold can store files; everyone else is off limits
Jeff Sharkeyc9605962015-05-14 20:55:31 -0700[diff] [blame]160allow vold vold_data_file:dir create_dir_perms;
Jeff Sharkey4423ecd2015-03-31 15:03:13 -0700[diff] [blame]161allow vold vold_data_file:file create_file_perms;
162
Paul Lawrencee2c0c9d2015-04-28 22:06:29 +0000[diff] [blame]163# linux keyring configuration
164allow vold init:key { write search setattr };
165allow vold vold:key { write search setattr };
166
Jeff Sharkey769b96f2015-06-11 13:00:30 -0700[diff] [blame]167# vold temporarily changes its priority when running benchmarks
168allow vold self:capability sys_nice;
169
Jeff Sharkey6b75d092015-06-25 16:13:59 -0700[diff] [blame]170# vold needs to chroot into app namespaces to remount when runtime permissions change
171allow vold self:capability sys_chroot;
172allow vold storage_file:dir mounton;
173
Adnan Begovic442c3eb2015-10-15 13:06:44 -0700[diff] [blame^]174ifelse(shipping_build, `true',
175 `neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
176 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
177 neverallow { domain -vold -init } vold_data_file:dir *;
178 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
179 neverallow { domain -vold -init } restorecon_prop:property_service set;'
180,
181 `neverallow { domain -vold -recovery } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
182 neverallow { domain -vold -recovery } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
183 neverallow { domain -vold -init -recovery } vold_data_file:dir *;
184 neverallow { domain -vold -init -recovery } vold_data_file:notdevfile_class_set *;
185 neverallow { domain -vold -init -recovery } restorecon_prop:property_service set;'
186)