1# volume manager 2type vold, domain; 3type vold_exec, exec_type, file_type, system_file_type; 4 5# Read already opened /cache files. 6allow vold cache_file:dir r_dir_perms; 7allow vold cache_file:file { getattr read }; 8allow vold cache_file:lnk_file r_file_perms; 9 10r_dir_file(vold, { sysfs_type -sysfs_batteryinfo }) 11# XXX Label sysfs files with a specific type? 12allow vold { 13 sysfs # writing to /sys/*/uevent during coldboot. 14 sysfs_devices_block 15 sysfs_dm 16 sysfs_loop # writing to /sys/block/loop*/uevent during coldboot. 17 sysfs_usb 18 sysfs_zram_uevent 19 sysfs_fs_f2fs 20}:file w_file_perms; 21 22r_dir_file(vold, rootfs) 23r_dir_file(vold, metadata_file) 24allow vold { 25 proc # b/67049235 processes /proc/<pid>/* files are mislabeled. 26 proc_bootconfig 27 proc_cmdline 28 proc_drop_caches 29 proc_filesystems 30 proc_meminfo 31 proc_mounts 32}:file r_file_perms; 33 34#Get file contexts 35allow vold file_contexts_file:file r_file_perms; 36 37# Allow us to jump into execution domains of above tools 38allow vold self:process setexec; 39 40# For formatting adoptable storage devices 41allow vold e2fs_exec:file rx_file_perms; 42 43# Run fstrim on mounted partitions 44# allowxperm still requires the ioctl permission for the individual type 45allowxperm vold { fs_type file_type }:dir ioctl FITRIM; 46 47# Get/set file-based encryption policies on dirs in /data and adoptable storage, 48# and add/remove file-based encryption keys. 49allowxperm vold data_file_type:dir ioctl { 50 FS_IOC_GET_ENCRYPTION_POLICY 51 FS_IOC_SET_ENCRYPTION_POLICY 52 FS_IOC_ADD_ENCRYPTION_KEY 53 FS_IOC_REMOVE_ENCRYPTION_KEY 54 FS_IOC_GET_ENCRYPTION_KEY_STATUS 55}; 56 57# Only vold and init should ever set file-based encryption policies. 58neverallowxperm { 59 domain 60 -vold 61 -init 62 -vendor_init 63} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY }; 64 65# Only vold should ever add/remove file-based encryption keys. 66neverallowxperm { 67 domain 68 -vold 69} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS }; 70 71# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is 72# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the 73# location of the file's blocks on the raw block device to erase. 74allowxperm vold { 75 vold_data_file 76 vold_metadata_file 77}:file ioctl { 78 F2FS_IOC_SEC_TRIM_FILE 79 FS_IOC_FIEMAP 80}; 81 82typeattribute vold mlstrustedsubject; 83allow vold self:process setfscreate; 84allow vold system_file:file x_file_perms; 85not_full_treble(`allow vold vendor_file:file x_file_perms;') 86allow vold block_device:dir create_dir_perms; 87allow vold device:dir write; 88allow vold devpts:chr_file rw_file_perms; 89allow vold rootfs:dir mounton; 90allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M 91allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M 92 93# Manage locations where storage is mounted 94allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms; 95allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms; 96 97# Access to storage that backs emulated FUSE daemons for migration optimization 98allow vold media_rw_data_file:dir create_dir_perms; 99allow vold media_rw_data_file:file create_file_perms; 100# Allow mounting (lower filesystem) on parts of media for performance 101allow vold media_rw_data_file:dir mounton; 102 103# Allow setting extended attributes (for project quota IDs) on files and dirs 104# and to enable project ID inheritance through FS_IOC_SETFLAGS 105allowxperm vold media_rw_data_file:{ dir file } ioctl { 106 FS_IOC_FSGETXATTR 107 FS_IOC_FSSETXATTR 108 FS_IOC_GETFLAGS 109 FS_IOC_SETFLAGS 110}; 111 112# Allow mounting of storage devices 113allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; 114 115# Manage per-user primary symlinks 116allow vold mnt_user_file:dir { create_dir_perms mounton }; 117allow vold mnt_user_file:lnk_file create_file_perms; 118allow vold mnt_user_file:file create_file_perms; 119 120# Manage per-user pass_through primary symlinks 121allow vold mnt_pass_through_file:dir { create_dir_perms mounton }; 122allow vold mnt_pass_through_file:lnk_file create_file_perms; 123 124# Allow to create and mount expanded storage 125allow vold mnt_expand_file:dir { create_dir_perms mounton }; 126allow vold apk_data_file:dir { create getattr setattr }; 127allow vold shell_data_file:dir { create getattr setattr }; 128 129# Allow to mount incremental file system on /data/incremental and create files 130allow vold apk_data_file:dir { mounton rw_dir_perms }; 131# Allow to create and write files in /data/incremental 132allow vold apk_data_file:file { rw_file_perms unlink }; 133# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files 134allow vold apk_tmp_file:dir { mounton r_dir_perms }; 135# Allow to read incremental control file and call selinux restorecon on it 136allow vold incremental_control_file:file { r_file_perms relabelto }; 137 138allow vold tmpfs:filesystem { mount unmount }; 139allow vold tmpfs:dir create_dir_perms; 140allow vold tmpfs:dir mounton; 141allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid }; 142allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 143allow vold loop_control_device:chr_file rw_file_perms; 144allow vold loop_device:blk_file { create setattr unlink rw_file_perms }; 145allowxperm vold loop_device:blk_file ioctl { 146 LOOP_CLR_FD 147 LOOP_CTL_GET_FREE 148 LOOP_GET_STATUS64 149 LOOP_SET_FD 150 LOOP_SET_STATUS64 151}; 152allow vold vold_device:blk_file { create setattr unlink rw_file_perms }; 153allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE }; 154allow vold dm_device:chr_file rw_file_perms; 155allow vold dm_device:blk_file rw_file_perms; 156allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD }; 157# For vold Process::killProcessesWithOpenFiles function. 158allow vold domain:dir r_dir_perms; 159allow vold domain:{ file lnk_file } r_file_perms; 160allow vold domain:process { signal sigkill }; 161allow vold self:global_capability_class_set { sys_ptrace kill }; 162 163allow vold kmsg_device:chr_file rw_file_perms; 164 165# Run fsck in the fsck domain. 166allow vold fsck_exec:file { r_file_perms execute }; 167 168# Log fsck results 169allow vold fscklogs:dir rw_dir_perms; 170allow vold fscklogs:file create_file_perms; 171 172# Mount and unmount filesystems. 173allow vold labeledfs:filesystem { mount unmount remount }; 174 175# Create and mount on /data/tmp_mnt and management of expansion mounts 176allow vold { 177 system_data_file 178 system_data_root_file 179}:dir { create rw_dir_perms mounton setattr rmdir }; 180allow vold system_data_file:lnk_file getattr; 181 182# Vold create users in /data/vendor_{ce,de}/[0-9]+ 183allow vold vendor_data_file:dir create_dir_perms; 184 185# for secdiscard 186allow vold system_data_file:file read; 187 188# Set scheduling policy of kernel processes 189allow vold kernel:process setsched; 190 191# ASEC 192allow vold asec_image_file:file create_file_perms; 193allow vold asec_image_file:dir rw_dir_perms; 194allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto }; 195allow vold asec_public_file:dir { relabelto setattr }; 196allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; 197allow vold asec_public_file:file { relabelto setattr }; 198# restorecon files in asec containers created on 4.2 or earlier. 199allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; 200allow vold unlabeled:file { r_file_perms setattr relabelfrom }; 201 202# Access to FUSE control filesystem to hard-abort FUSE mounts 203allow vold fusectlfs:file rw_file_perms; 204allow vold fusectlfs:dir rw_dir_perms; 205 206# Allow vold to use wake locks. Needed for idle maintenance and moving storage. 207wakelock_use(vold) 208 209# Allow vold to publish a binder service and make binder calls. 210binder_use(vold) 211add_service(vold, vold_service) 212 213# Allow vold to call into the system server so it can check permissions. 214binder_call(vold, system_server) 215allow vold permission_service:service_manager find; 216 217# talk to health storage HAL 218hal_client_domain(vold, hal_health_storage) 219 220# talk to bootloader HAL 221full_treble_only(`hal_client_domain(vold, hal_bootctl)') 222 223# Access userdata block device. 224allow vold userdata_block_device:blk_file rw_file_perms; 225allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD; 226 227# Access metadata block device used for encryption meta-data. 228allow vold metadata_block_device:blk_file rw_file_perms; 229allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD; 230 231# Allow vold to manipulate /data/unencrypted 232allow vold unencrypted_data_file:{ file } create_file_perms; 233allow vold unencrypted_data_file:dir create_dir_perms; 234 235# Write to /proc/sys/vm/drop_caches 236allow vold proc_drop_caches:file w_file_perms; 237 238# Give vold a place where only vold can store files; everyone else is off limits 239allow vold vold_data_file:dir create_dir_perms; 240allow vold vold_data_file:file create_file_perms; 241 242# And a similar place in the metadata partition 243allow vold vold_metadata_file:dir create_dir_perms; 244allow vold vold_metadata_file:file create_file_perms; 245 246# linux keyring configuration 247allow vold init:key { write search setattr }; 248allow vold vold:key { write search setattr }; 249 250# vold temporarily changes its priority when running benchmarks 251allow vold self:global_capability_class_set sys_nice; 252 253# vold needs to chroot into app namespaces to remount when runtime permissions change 254allow vold self:global_capability_class_set sys_chroot; 255allow vold storage_file:dir mounton; 256 257# For AppFuse. 258allow vold fuse_device:chr_file rw_file_perms; 259allow vold fuse:filesystem { relabelfrom }; 260allow vold app_fusefs:filesystem { relabelfrom relabelto }; 261allow vold app_fusefs:filesystem { mount unmount }; 262allow vold app_fuse_file:dir rw_dir_perms; 263allow vold app_fuse_file:file { read write open getattr append }; 264 265# MoveStorage.cpp executes cp and rm 266allow vold toolbox_exec:file rx_file_perms; 267 268# Prepare profile dir for users. 269allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms; 270 271# Raw writes to misc block device 272allow vold misc_block_device:blk_file w_file_perms; 273 274# vold might need to search or mount /mnt/vendor/* 275allow vold mnt_vendor_file:dir search; 276 277dontaudit vold self:global_capability_class_set sys_resource; 278 279# Allow ReadDefaultFstab(). 280read_fstab(vold) 281 282# vold might need to search loopback apex files 283allow vold vendor_apex_file:file r_file_perms; 284 285neverallow { 286 domain 287 -vold 288 -vold_prepare_subdirs 289} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl }; 290 291neverallow { 292 domain 293 -init 294 -vold 295 -vold_prepare_subdirs 296} vold_data_file:dir *; 297 298neverallow { 299 domain 300 -init 301 -vold 302} vold_metadata_file:dir *; 303 304neverallow { 305 domain 306 -kernel 307 -vold 308 -vold_prepare_subdirs 309} vold_data_file:notdevfile_class_set ~{ relabelto getattr }; 310 311neverallow { 312 domain 313 -init 314 -vold 315 -vold_prepare_subdirs 316} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 317 318neverallow { 319 domain 320 -init 321 -kernel 322 -vold 323 -vold_prepare_subdirs 324} { vold_data_file vold_metadata_file }:notdevfile_class_set *; 325 326neverallow { domain -vold -init } restorecon_prop:property_service set; 327 328neverallow vold { 329 domain 330 -hal_health_storage_server 331 -hal_keymaster_server 332 -system_suspend_server 333 -hal_bootctl_server 334 -hwservicemanager 335 -iorapd_service 336 -keystore 337 -servicemanager 338 -system_server 339 userdebug_or_eng(`-su') 340}:binder call; 341 342neverallow vold fsck_exec:file execute_no_trans; 343neverallow { domain -init } vold:process { transition dyntransition }; 344neverallow vold *:process ptrace; 345neverallow vold *:rawip_socket *; 346