1typeattribute vold coredomain; 2 3init_daemon_domain(vold) 4 5# Switch to more restrictive domains when executing common tools 6domain_auto_trans(vold, sgdisk_exec, sgdisk); 7domain_auto_trans(vold, sdcardd_exec, sdcardd); 8domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted); 9 10# Switch to e2fs domain when running mkfs.ext4 to format a partition 11domain_auto_trans(vold, e2fs_exec, e2fs); 12 13 14# For a handful of probing tools, we choose an even more restrictive 15# domain when working with untrusted block devices 16domain_trans(vold, blkid_exec, blkid); 17domain_trans(vold, blkid_exec, blkid_untrusted); 18domain_trans(vold, fsck_exec, fsck); 19domain_trans(vold, fsck_exec, fsck_untrusted); 20 21# Newly created storage dirs are always treated as mount stubs to prevent us 22# from accidentally writing when the mount point isn't present. 23type_transition vold storage_file:dir storage_stub_file; 24type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file; 25 26# Property Service 27get_prop(vold, vold_config_prop) 28get_prop(vold, storage_config_prop); 29get_prop(vold, incremental_prop); 30get_prop(vold, gsid_prop); 31 32set_prop(vold, vold_prop) 33set_prop(vold, vold_status_prop) 34set_prop(vold, powerctl_prop) 35set_prop(vold, ctl_fuse_prop) 36set_prop(vold, restorecon_prop) 37set_prop(vold, ota_prop) 38set_prop(vold, boottime_prop) 39set_prop(vold, boottime_public_prop) 40 41# Vold will use Keystore instead of using Keymint directly. But it still needs 42# to manage its Keymint blobs. This is why it needs the `manage_blob` permission. 43allow vold vold_key:keystore2_key { 44 convert_storage_key_to_ephemeral 45 delete 46 get_info 47 manage_blob 48 rebind 49 req_forced_op 50 update 51 use 52}; 53 54# vold needs to call keystore methods 55allow vold keystore:binder call; 56 57# vold needs to find keystore2 services 58allow vold keystore_service:service_manager find; 59allow vold keystore_maintenance_service:service_manager find; 60 61# vold needs to be able to call earlyBootEnded() and deleteAllKeys() 62allow vold keystore:keystore2 early_boot_ended; 63allow vold keystore:keystore2 delete_all_keys; 64 65is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 66 allow vold storage_area_app_dir:dir search; 67 # Allow vold to get the encryption policy and 68 # verify the ownership of storage areas 69 allow vold storage_area_dir:dir { 70 read 71 open 72 getattr 73 ioctl 74 }; 75') 76 77# when a storage area is created (with `openStorageArea`), vold creates the key 78# and when a storage area is deleted (with `deleteStorageArea`), vold deletes the key 79is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 80 allow vold storage_area_key_file:file create_file_perms; 81 allow vold storage_area_key_file:dir create_dir_perms; 82') 83 84# Allow vold to create and delete per-user directories like /data/user/$userId. 85allow vold { 86 media_userdir_file 87 system_userdir_file 88 vendor_userdir_file 89}:dir { 90 add_name 91 remove_name 92 write 93}; 94 95# Read already opened /cache files. 96allow vold cache_file:dir r_dir_perms; 97allow vold cache_file:file { getattr read }; 98allow vold cache_file:lnk_file r_file_perms; 99 100r_dir_file(vold, { sysfs_type -sysfs_batteryinfo }) 101# XXX Label sysfs files with a specific type? 102allow vold { 103 sysfs # writing to /sys/*/uevent during coldboot. 104 sysfs_devices_block 105 sysfs_dm 106 sysfs_loop # writing to /sys/block/loop*/uevent during coldboot. 107 sysfs_usb 108 sysfs_zram_uevent 109 sysfs_fs_f2fs 110}:file w_file_perms; 111 112r_dir_file(vold, rootfs) 113r_dir_file(vold, metadata_file) 114allow vold { 115 proc # b/67049235 processes /proc/<pid>/* files are mislabeled. 116 proc_bootconfig 117 proc_cmdline 118 proc_drop_caches 119 proc_filesystems 120 proc_meminfo 121 proc_mounts 122}:file r_file_perms; 123 124#Get file contexts 125allow vold file_contexts_file:file r_file_perms; 126 127# Allow us to jump into execution domains of above tools 128allow vold self:process setexec; 129 130# For formatting adoptable storage devices 131allow vold e2fs_exec:file rx_file_perms; 132 133# Run fstrim on mounted partitions 134# allowxperm still requires the ioctl permission for the individual type 135allowxperm vold { fs_type file_type }:dir ioctl FITRIM; 136 137# Get/set file-based encryption policies on dirs in /data and adoptable storage, 138# and add/remove file-based encryption keys. 139allowxperm vold data_file_type:dir ioctl { 140 FS_IOC_GET_ENCRYPTION_POLICY 141 FS_IOC_GET_ENCRYPTION_POLICY_EX 142 FS_IOC_SET_ENCRYPTION_POLICY 143 FS_IOC_ADD_ENCRYPTION_KEY 144 FS_IOC_REMOVE_ENCRYPTION_KEY 145 FS_IOC_GET_ENCRYPTION_KEY_STATUS 146}; 147 148# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is 149# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the 150# location of the file's blocks on the raw block device to erase. 151allowxperm vold { 152 vold_data_file 153 vold_metadata_file 154 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file') 155}:file ioctl { 156 F2FS_IOC_SEC_TRIM_FILE 157 FS_IOC_FIEMAP 158}; 159 160typeattribute vold mlstrustedsubject; 161allow vold self:process setfscreate; 162allow vold system_file:file x_file_perms; 163not_full_treble(`allow vold vendor_file:file x_file_perms;') 164allow vold block_device:dir create_dir_perms; 165allow vold device:dir write; 166allow vold devpts:chr_file rw_file_perms; 167allow vold rootfs:dir mounton; 168allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M 169allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M 170 171# Manage locations where storage is mounted 172allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms; 173allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms; 174 175# Access to storage that backs emulated FUSE daemons for migration optimization 176allow vold media_rw_data_file:dir create_dir_perms; 177allow vold media_rw_data_file:file create_file_perms; 178# Allow mounting (lower filesystem) on parts of media for performance 179allow vold media_rw_data_file:dir mounton; 180 181# Allow setting project quota IDs and enabling project ID inheritance on 182# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/* 183allowxperm vold media_rw_data_file:{ dir file } ioctl { 184 FS_IOC_FSGETXATTR 185 FS_IOC_FSSETXATTR 186 FS_IOC_GETFLAGS 187 FS_IOC_SETFLAGS 188}; 189 190# Allow mounting of storage devices 191allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; 192 193# Manage per-user primary symlinks 194allow vold mnt_user_file:dir { create_dir_perms mounton }; 195allow vold mnt_user_file:lnk_file create_file_perms; 196allow vold mnt_user_file:file create_file_perms; 197 198# Manage per-user pass_through primary symlinks 199allow vold mnt_pass_through_file:dir { create_dir_perms mounton }; 200allow vold mnt_pass_through_file:lnk_file create_file_perms; 201 202# Allow to create and mount expanded storage 203allow vold mnt_expand_file:dir { create_dir_perms mounton }; 204allow vold apk_data_file:dir { create getattr setattr }; 205allow vold shell_data_file:dir { create getattr setattr }; 206allow vold system_userdir_file:dir { create getattr setattr }; 207allow vold media_userdir_file:dir { create getattr setattr open read ioctl }; 208# Needed to set the casefold flag on /mnt/expand/$volume/media 209allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS }; 210 211# Allow to mount incremental file system on /data/incremental and create files 212allow vold apk_data_file:dir { mounton rw_dir_perms }; 213# Allow to create and write files in /data/incremental 214allow vold apk_data_file:file { rw_file_perms unlink }; 215# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files 216allow vold apk_tmp_file:dir { mounton r_dir_perms }; 217# Allow to read incremental control file and call selinux restorecon on it 218allow vold incremental_control_file:file { r_file_perms relabelto }; 219 220allow vold tmpfs:filesystem { mount unmount }; 221allow vold tmpfs:dir create_dir_perms; 222allow vold tmpfs:dir mounton; 223allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid }; 224allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; 225allow vold loop_control_device:chr_file rw_file_perms; 226allow vold loop_device:blk_file { create setattr unlink rw_file_perms }; 227allowxperm vold loop_device:blk_file ioctl { 228 LOOP_CLR_FD 229 LOOP_CTL_GET_FREE 230 LOOP_GET_STATUS64 231 LOOP_SET_FD 232 LOOP_SET_STATUS64 233}; 234allow vold vold_device:blk_file { create setattr unlink rw_file_perms }; 235allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE }; 236allow vold dm_device:chr_file rw_file_perms; 237allow vold dm_device:blk_file rw_file_perms; 238allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE BLKROSET BLKROGET }; 239# For vold Process::killProcessesWithOpenFiles function. 240allow vold domain:dir r_dir_perms; 241allow vold domain:{ file lnk_file } r_file_perms; 242allow vold domain:process { signal sigkill }; 243allow vold self:global_capability_class_set { sys_ptrace kill }; 244 245allow vold kmsg_device:chr_file rw_file_perms; 246 247# Run fsck in the fsck domain. 248allow vold fsck_exec:file { r_file_perms execute }; 249 250# Log fsck results 251allow vold fscklogs:dir rw_dir_perms; 252allow vold fscklogs:file create_file_perms; 253 254# Mount and unmount filesystems. 255allow vold labeledfs:filesystem { mount unmount remount }; 256 257# Create and mount on /data/tmp_mnt and management of expansion mounts 258# 259# Also rename per-user encrypted directories such as /data/user/10 from their 260# temporary name ("10.new") to their final name ("10"). 261allow vold { 262 system_data_file 263 system_data_root_file 264}:dir { create_dir_perms mounton }; 265allow vold system_data_file:lnk_file getattr; 266 267# Vold create users in /data/vendor_{ce,de}/[0-9]+ 268allow vold vendor_data_file:dir create_dir_perms; 269 270# for secdiscard 271allow vold system_data_file:file read; 272 273# Set scheduling policy of kernel processes 274allow vold kernel:process setsched; 275 276# ASEC 277allow vold asec_image_file:file create_file_perms; 278allow vold asec_image_file:dir rw_dir_perms; 279allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto }; 280allow vold asec_public_file:dir { relabelto setattr }; 281allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; 282allow vold asec_public_file:file { relabelto setattr }; 283# restorecon files in asec containers created on 4.2 or earlier. 284allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; 285allow vold unlabeled:file { r_file_perms setattr relabelfrom }; 286 287# Access to FUSE control filesystem to hard-abort FUSE mounts 288allow vold fusectlfs:file rw_file_perms; 289allow vold fusectlfs:dir rw_dir_perms; 290 291# Allow vold to use wake locks. Needed for idle maintenance and moving storage. 292wakelock_use(vold) 293 294# Allow vold to publish a binder service and make binder calls. 295binder_use(vold) 296add_service(vold, vold_service) 297 298# Allow vold to call into the system server so it can check permissions. 299binder_call(vold, system_server) 300allow vold permission_service:service_manager find; 301 302# talk to health storage HAL 303hal_client_domain(vold, hal_health_storage) 304 305# talk to bootloader HAL 306full_treble_only(`hal_client_domain(vold, hal_bootctl)') 307 308# Access userdata block device. 309allow vold userdata_block_device:blk_file rw_file_perms; 310allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD; 311 312# Access zoned block device. 313allow vold zoned_block_device:blk_file rw_file_perms; 314 315# Access metadata block device used for encryption meta-data. 316allow vold metadata_block_device:blk_file rw_file_perms; 317allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD; 318 319# Allow vold to manipulate /data/unencrypted 320allow vold unencrypted_data_file:{ file } create_file_perms; 321allow vold unencrypted_data_file:dir create_dir_perms; 322 323# Write to /proc/sys/vm/drop_caches 324allow vold proc_drop_caches:file w_file_perms; 325 326# Give vold a place where only vold can store files; everyone else is off limits 327allow vold vold_data_file:dir create_dir_perms; 328allow vold vold_data_file:file create_file_perms; 329 330# And a similar place in the metadata partition 331allow vold vold_metadata_file:dir create_dir_perms; 332allow vold vold_metadata_file:file create_file_perms; 333 334# linux keyring configuration 335allow vold init:key { write search setattr }; 336allow vold vold:key { write search setattr }; 337 338# vold temporarily changes its priority when running benchmarks 339allow vold self:global_capability_class_set sys_nice; 340 341# vold needs to chroot into app namespaces to remount when runtime permissions change 342allow vold self:global_capability_class_set sys_chroot; 343allow vold storage_file:dir mounton; 344 345# For AppFuse. 346allow vold fuse_device:chr_file rw_file_perms; 347allow vold fuse:filesystem { relabelfrom }; 348allow vold app_fusefs:filesystem { relabelfrom relabelto }; 349allow vold app_fusefs:filesystem { mount unmount }; 350allow vold app_fuse_file:dir rw_dir_perms; 351allow vold app_fuse_file:file { read write open getattr append }; 352 353# MoveStorage.cpp executes cp and rm 354allow vold toolbox_exec:file rx_file_perms; 355 356# Prepare profile dir for users. 357allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms; 358 359# Raw writes to misc block device 360allow vold misc_block_device:blk_file w_file_perms; 361 362# vold might need to search or mount /mnt/vendor/* 363allow vold mnt_vendor_file:dir search; 364 365dontaudit vold self:global_capability_class_set sys_resource; 366 367dontaudit vold self:capability sys_rawio; 368 369# Allow ReadDefaultFstab(). 370read_fstab(vold) 371 372# vold might need to search loopback apex files 373allow vold vendor_apex_file:file r_file_perms; 374 375### 376### Neverallow rules 377### 378 379neverallow { 380 domain 381 -system_server 382 -vdc 383 -vold 384 -update_verifier 385 -apexd 386 -gsid 387} vold_service:service_manager find; 388 389# Only vold should create (and delete) per-user directories like 390# /data/user/$userId. This is very important, as these directories need to be 391# encrypted with per-user keys, which only vold can do. Encryption can only be 392# set up on empty directories, so creation and encryption must happen together. 393neverallow { 394 domain 395 -vold 396} { 397 media_userdir_file 398 system_userdir_file 399 vendor_userdir_file 400}:dir { 401 add_name 402 remove_name 403 write 404}; 405 406# Only vold and init should ever set file-based encryption policies. 407neverallowxperm { 408 domain 409 -vold 410 -init 411 -vendor_init 412 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` -vold_prepare_subdirs ') 413} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY }; 414 415# Only vold should ever add/remove file-based encryption keys. 416neverallowxperm { 417 domain 418 -vold 419} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS }; 420 421neverallow { 422 domain 423 -vold 424 -vold_prepare_subdirs 425} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl }; 426 427neverallow { 428 domain 429 -init 430 -vold 431 -vold_prepare_subdirs 432} vold_data_file:dir *; 433 434neverallow { 435 domain 436 -init 437 -vold 438} vold_metadata_file:dir *; 439 440neverallow { 441 domain 442 -kernel 443 -vold 444 -vold_prepare_subdirs 445} vold_data_file:notdevfile_class_set ~{ relabelto getattr }; 446 447neverallow { 448 domain 449 -init 450 -vold 451 -vold_prepare_subdirs 452} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr }; 453 454neverallow { 455 domain 456 -init 457 -kernel 458 -vold 459 -vold_prepare_subdirs 460} { vold_data_file vold_metadata_file }:notdevfile_class_set *; 461 462neverallow { domain -vold -init } restorecon_prop:property_service set; 463 464neverallow vold { 465 domain 466 -hal_health_storage_server 467 -hal_keymaster_server 468 -system_suspend_server 469 -hal_bootctl_server 470 -hwservicemanager 471 -keystore 472 -servicemanager 473 -system_server 474 userdebug_or_eng(`-su') 475}:binder call; 476 477neverallow vold fsck_exec:file execute_no_trans; 478neverallow { domain -init } vold:process { transition dyntransition }; 479neverallow vold *:process ptrace; 480neverallow vold *:rawip_socket *; 481