Stephen Smalley | 2dd4e51 | 2012-01-04 12:33:27 -0500 | [diff] [blame] | 1 | # volume manager |
| 2 | type vold, domain; |
| 3 | type vold_exec, exec_type, file_type; |
| 4 | |
| 5 | init_daemon_domain(vold) |
Nick Kralevich | 7914a47 | 2013-06-28 20:15:37 -0700 | [diff] [blame] | 6 | |
| 7 | typeattribute vold mlstrustedsubject; |
| 8 | allow vold system_file:file x_file_perms; |
| 9 | allow vold block_device:dir create_dir_perms; |
| 10 | allow vold block_device:blk_file create_file_perms; |
| 11 | allow vold device:dir write; |
| 12 | allow vold devpts:chr_file rw_file_perms; |
| 13 | allow vold rootfs:dir mounton; |
| 14 | allow vold sdcard_type:dir mounton; |
| 15 | allow vold sdcard_type:filesystem { mount remount unmount }; |
| 16 | allow vold sdcard_type:dir create_dir_perms; |
Jeff Sharkey | 80176dc | 2013-11-14 16:07:57 -0800 | [diff] [blame] | 17 | allow vold sdcard_type:file create_file_perms; |
Nick Kralevich | 7914a47 | 2013-06-28 20:15:37 -0700 | [diff] [blame] | 18 | allow vold tmpfs:filesystem { mount unmount }; |
| 19 | allow vold tmpfs:dir create_dir_perms; |
| 20 | allow vold tmpfs:dir mounton; |
Alex Klyubin | b25fe91 | 2013-07-08 15:48:36 -0700 | [diff] [blame] | 21 | allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid }; |
Nick Kralevich | 7914a47 | 2013-06-28 20:15:37 -0700 | [diff] [blame] | 22 | allow vold self:netlink_kobject_uevent_socket *; |
| 23 | allow vold app_data_file:dir search; |
| 24 | allow vold app_data_file:file rw_file_perms; |
| 25 | allow vold loop_device:blk_file rw_file_perms; |
| 26 | allow vold dm_device:chr_file rw_file_perms; |
| 27 | # For vold Process::killProcessesWithOpenFiles function. |
| 28 | allow vold domain:dir r_dir_perms; |
| 29 | allow vold domain:{ file lnk_file } r_file_perms; |
| 30 | allow vold domain:process { signal sigkill }; |
Geremy Condra | 7eb786b | 2013-09-11 10:16:57 -0700 | [diff] [blame] | 31 | allow vold self:capability { sys_ptrace kill }; |
Nick Kralevich | 7914a47 | 2013-06-28 20:15:37 -0700 | [diff] [blame] | 32 | |
Jeff Sharkey | 2abfe7d | 2013-10-17 12:56:08 -0700 | [diff] [blame] | 33 | # For blkid |
| 34 | allow vold shell_exec:file rx_file_perms; |
| 35 | |
Nick Kralevich | 7914a47 | 2013-06-28 20:15:37 -0700 | [diff] [blame] | 36 | # XXX Label sysfs files with a specific type? |
| 37 | allow vold sysfs:file rw_file_perms; |
| 38 | |
| 39 | write_klog(vold) |
| 40 | |
Nick Kralevich | 3753c81 | 2013-12-19 15:23:43 -0800 | [diff] [blame] | 41 | # Log fsck results |
| 42 | allow vold fscklogs:dir rw_dir_perms; |
| 43 | allow vold fscklogs:file create_file_perms; |
| 44 | |
Nick Kralevich | 7914a47 | 2013-06-28 20:15:37 -0700 | [diff] [blame] | 45 | # |
| 46 | # Rules to support encrypted fs support. |
| 47 | # |
| 48 | |
| 49 | # Set property. |
| 50 | unix_socket_connect(vold, property, init) |
| 51 | |
| 52 | # Unmount and mount the fs. |
| 53 | allow vold labeledfs:filesystem { mount unmount remount }; |
| 54 | |
| 55 | # Access /efs/userdata_footer. |
| 56 | # XXX Split into a separate type? |
| 57 | allow vold efs_file:file rw_file_perms; |
| 58 | |
| 59 | # Create and mount on /data/tmp_mnt. |
| 60 | allow vold system_data_file:dir { create rw_dir_perms mounton }; |
| 61 | |
| 62 | # Set scheduling policy of kernel processes |
| 63 | allow vold kernel:process setsched; |
| 64 | |
| 65 | # Property Service |
| 66 | allow vold vold_prop:property_service set; |
| 67 | allow vold powerctl_prop:property_service set; |
Ken Sumrall | 4974855 | 2013-09-09 19:58:44 -0700 | [diff] [blame] | 68 | allow vold ctl_default_prop:property_service set; |
Nick Kralevich | 7914a47 | 2013-06-28 20:15:37 -0700 | [diff] [blame] | 69 | |
| 70 | # ASEC |
| 71 | allow vold asec_image_file:file create_file_perms; |
| 72 | allow vold asec_image_file:dir rw_dir_perms; |
| 73 | security_access_policy(vold) |
Robert Craig | 48b1883 | 2014-02-04 11:36:41 -0500 | [diff] [blame] | 74 | relabelto_domain(vold) |
| 75 | allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom }; |
| 76 | allow vold asec_public_file:dir { relabelto setattr }; |
| 77 | allow vold asec_apk_file:file { r_file_perms setattr relabelfrom }; |
| 78 | allow vold asec_public_file:file { relabelto setattr }; |
Nick Kralevich | 3753c81 | 2013-12-19 15:23:43 -0800 | [diff] [blame] | 79 | |
| 80 | # Handle wake locks (used for device encryption) |
| 81 | allow vold sysfs_wake_lock:file rw_file_perms; |
| 82 | allow vold self:capability2 block_suspend; |