1# volume manager
2type vold, domain;
3type vold_exec, exec_type, file_type;
4
5# Read already opened /cache files.
6allow vold cache_file:dir r_dir_perms;
7allow vold cache_file:file { getattr read };
8allow vold cache_file:lnk_file r_file_perms;
9
10# Read access to pseudo filesystems.
11r_dir_file(vold, proc_net)
12r_dir_file(vold, sysfs_type)
13# XXX Label sysfs files with a specific type?
14allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
15allow vold sysfs_dm:file w_file_perms;
16allow vold sysfs_usb:file w_file_perms;
17allow vold sysfs_zram_uevent:file w_file_perms;
18
19r_dir_file(vold, rootfs)
20r_dir_file(vold, metadata_file)
21allow vold {
22  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
23  proc_cmdline
24  proc_drop_caches
25  proc_filesystems
26  proc_meminfo
27  proc_mounts
28}:file r_file_perms;
29
30#Get file contexts
31allow vold file_contexts_file:file r_file_perms;
32
33# Allow us to jump into execution domains of above tools
34allow vold self:process setexec;
35
36# For sgdisk launched through popen()
37allow vold shell_exec:file rx_file_perms;
38
39# For formatting adoptable storage devices
40allow vold e2fs_exec:file rx_file_perms;
41
42typeattribute vold mlstrustedsubject;
43allow vold self:process setfscreate;
44allow vold system_file:file x_file_perms;
45not_full_treble(`allow vold vendor_file:file x_file_perms;')
46allow vold block_device:dir create_dir_perms;
47allow vold device:dir write;
48allow vold devpts:chr_file rw_file_perms;
49allow vold rootfs:dir mounton;
50allow vold sdcard_type:dir mounton; # TODO: deprecated in M
51allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
52allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
53allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
54
55# Manage locations where storage is mounted
56allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
57allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
58
59# Access to storage that backs emulated FUSE daemons for migration optimization
60allow vold media_rw_data_file:dir create_dir_perms;
61allow vold media_rw_data_file:file create_file_perms;
62
63# Allow mounting of storage devices
64allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
65
66# Manage per-user primary symlinks
67allow vold mnt_user_file:dir create_dir_perms;
68allow vold mnt_user_file:lnk_file create_file_perms;
69
70# Allow to create and mount expanded storage
71allow vold mnt_expand_file:dir { create_dir_perms mounton };
72allow vold apk_data_file:dir { create getattr setattr };
73allow vold shell_data_file:dir { create getattr setattr };
74
75allow vold tmpfs:filesystem { mount unmount };
76allow vold tmpfs:dir create_dir_perms;
77allow vold tmpfs:dir mounton;
78allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
79allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
80allow vold app_data_file:dir search;
81allow vold app_data_file:file rw_file_perms;
82allow vold loop_control_device:chr_file rw_file_perms;
83allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
84allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
85allow vold dm_device:chr_file rw_file_perms;
86allow vold dm_device:blk_file rw_file_perms;
87# For vold Process::killProcessesWithOpenFiles function.
88allow vold domain:dir r_dir_perms;
89allow vold domain:{ file lnk_file } r_file_perms;
90allow vold domain:process { signal sigkill };
91allow vold self:global_capability_class_set { sys_ptrace kill };
92
93allow vold kmsg_device:chr_file rw_file_perms;
94
95# Run fsck in the fsck domain.
96allow vold fsck_exec:file { r_file_perms execute };
97
98# Log fsck results
99allow vold fscklogs:dir rw_dir_perms;
100allow vold fscklogs:file create_file_perms;
101
102#
103# Rules to support encrypted fs support.
104#
105
106# Unmount and mount the fs.
107allow vold labeledfs:filesystem { mount unmount };
108
109# Access /efs/userdata_footer.
110# XXX Split into a separate type?
111allow vold efs_file:file rw_file_perms;
112
113# Create and mount on /data/tmp_mnt and management of expansion mounts
114allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
115allow vold system_data_file:lnk_file getattr;
116
117# Vold create users in /data/vendor_{ce,de}/[0-9]+
118allow vold vendor_data_file:dir create_dir_perms;
119
120# for secdiscard
121allow vold system_data_file:file read;
122
123# Set scheduling policy of kernel processes
124allow vold kernel:process setsched;
125
126# Property Service
127set_prop(vold, vold_prop)
128set_prop(vold, exported_vold_prop)
129set_prop(vold, exported2_vold_prop)
130set_prop(vold, powerctl_prop)
131set_prop(vold, ctl_fuse_prop)
132set_prop(vold, restorecon_prop)
133
134# ASEC
135allow vold asec_image_file:file create_file_perms;
136allow vold asec_image_file:dir rw_dir_perms;
137allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
138allow vold asec_public_file:dir { relabelto setattr };
139allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
140allow vold asec_public_file:file { relabelto setattr };
141# restorecon files in asec containers created on 4.2 or earlier.
142allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
143allow vold unlabeled:file { r_file_perms setattr relabelfrom };
144
145# Handle wake locks (used for device encryption)
146wakelock_use(vold)
147
148# Allow vold to publish a binder service and make binder calls.
149binder_use(vold)
150add_service(vold, vold_service)
151
152# Allow vold to call into the system server so it can check permissions.
153binder_call(vold, system_server)
154allow vold permission_service:service_manager find;
155
156# talk to batteryservice
157binder_call(vold, healthd)
158
159# talk to keymaster
160hal_client_domain(vold, hal_keymaster)
161
162# Access userdata block device.
163allow vold userdata_block_device:blk_file rw_file_perms;
164
165# Access metadata block device used for encryption meta-data.
166allow vold metadata_block_device:blk_file rw_file_perms;
167
168# Allow vold to manipulate /data/unencrypted
169allow vold unencrypted_data_file:{ file } create_file_perms;
170allow vold unencrypted_data_file:dir create_dir_perms;
171
172# Write to /proc/sys/vm/drop_caches
173allow vold proc_drop_caches:file w_file_perms;
174
175# Give vold a place where only vold can store files; everyone else is off limits
176allow vold vold_data_file:dir create_dir_perms;
177allow vold vold_data_file:file create_file_perms;
178
179# And a similar place in the metadata partition
180allow vold vold_metadata_file:dir create_dir_perms;
181allow vold vold_metadata_file:file create_file_perms;
182
183# linux keyring configuration
184allow vold init:key { write search setattr };
185allow vold vold:key { write search setattr };
186
187# vold temporarily changes its priority when running benchmarks
188allow vold self:global_capability_class_set sys_nice;
189
190# vold needs to chroot into app namespaces to remount when runtime permissions change
191allow vold self:global_capability_class_set sys_chroot;
192allow vold storage_file:dir mounton;
193
194# For AppFuse.
195allow vold fuse_device:chr_file rw_file_perms;
196allow vold fuse:filesystem { relabelfrom };
197allow vold app_fusefs:filesystem { relabelfrom relabelto };
198allow vold app_fusefs:filesystem { mount unmount };
199
200# MoveTask.cpp executes cp and rm
201allow vold toolbox_exec:file rx_file_perms;
202
203# Prepare profile dir for users.
204allow vold user_profile_data_file:dir create_dir_perms;
205
206# Raw writes to misc block device
207allow vold misc_block_device:blk_file w_file_perms;
208
209neverallow {
210    domain
211    -vold
212    -vold_prepare_subdirs
213} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
214
215neverallow {
216    domain
217    -init
218    -vold
219    -vold_prepare_subdirs
220} vold_data_file:dir *;
221
222neverallow {
223    domain
224    -init
225    -vendor_init
226    -vold
227} vold_metadata_file:dir *;
228
229neverallow {
230    domain
231    -kernel
232    -vold
233    -vold_prepare_subdirs
234} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
235
236neverallow {
237    domain
238    -init
239    -vold
240    -vold_prepare_subdirs
241} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
242
243neverallow {
244    domain
245    -init
246    -kernel
247    -vendor_init
248    -vold
249    -vold_prepare_subdirs
250} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
251
252neverallow { domain -vold -init } restorecon_prop:property_service set;
253
254# Only system_server and vdc can interact with vold over binder
255neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
256neverallow vold {
257  domain
258  -hal_keymaster_server
259  -healthd
260  -hwservicemanager
261  -servicemanager
262  -system_server
263  userdebug_or_eng(`-su')
264}:binder call;
265
266neverallow vold fsck_exec:file execute_no_trans;
267neverallow { domain -init } vold:process { transition dyntransition };
268neverallow vold *:process ptrace;
269neverallow vold *:rawip_socket *;
270