1# volume manager
2type vold, domain;
3type vold_exec, exec_type, file_type, system_file_type;
4
5# Read already opened /cache files.
6allow vold cache_file:dir r_dir_perms;
7allow vold cache_file:file { getattr read };
8allow vold cache_file:lnk_file r_file_perms;
9
10r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
11# XXX Label sysfs files with a specific type?
12allow vold {
13  sysfs # writing to /sys/*/uevent during coldboot.
14  sysfs_devices_block
15  sysfs_dm
16  sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
17  sysfs_usb
18  sysfs_zram_uevent
19  sysfs_fs_f2fs
20}:file w_file_perms;
21
22r_dir_file(vold, rootfs)
23r_dir_file(vold, metadata_file)
24allow vold {
25  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
26  proc_cmdline
27  proc_drop_caches
28  proc_filesystems
29  proc_meminfo
30  proc_mounts
31}:file r_file_perms;
32
33#Get file contexts
34allow vold file_contexts_file:file r_file_perms;
35
36# Allow us to jump into execution domains of above tools
37allow vold self:process setexec;
38
39# For formatting adoptable storage devices
40allow vold e2fs_exec:file rx_file_perms;
41
42# Run fstrim on mounted partitions
43# allowxperm still requires the ioctl permission for the individual type
44allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
45
46# Get/set file-based encryption policies on dirs in /data and adoptable storage,
47# and add/remove file-based encryption keys.
48allowxperm vold data_file_type:dir ioctl {
49  FS_IOC_GET_ENCRYPTION_POLICY
50  FS_IOC_SET_ENCRYPTION_POLICY
51  FS_IOC_ADD_ENCRYPTION_KEY
52  FS_IOC_REMOVE_ENCRYPTION_KEY
53};
54
55# Only vold and init should ever set file-based encryption policies.
56neverallowxperm {
57  domain
58  -vold
59  -init
60  -vendor_init
61} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
62
63# Only vold should ever add/remove file-based encryption keys.
64neverallowxperm {
65  domain
66  -vold
67} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
68
69# Find the location on the raw block device where the
70# crypto key is stored so it can be destroyed
71allowxperm vold vold_data_file:file ioctl {
72  FS_IOC_FIEMAP
73};
74
75typeattribute vold mlstrustedsubject;
76allow vold self:process setfscreate;
77allow vold system_file:file x_file_perms;
78not_full_treble(`allow vold vendor_file:file x_file_perms;')
79allow vold block_device:dir create_dir_perms;
80allow vold device:dir write;
81allow vold devpts:chr_file rw_file_perms;
82allow vold rootfs:dir mounton;
83allow vold sdcard_type:dir mounton; # TODO: deprecated in M
84allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
85allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
86allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
87
88# Manage locations where storage is mounted
89allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
90allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
91
92# Access to storage that backs emulated FUSE daemons for migration optimization
93allow vold media_rw_data_file:dir create_dir_perms;
94allow vold media_rw_data_file:file create_file_perms;
95# Allow mounting (lower filesystem) on parts of media for performance
96allow vold media_rw_data_file:dir mounton;
97
98# Allow setting extended attributes (for project quota IDs) on files and dirs
99# and to enable project ID inheritance through FS_IOC_SETFLAGS
100allowxperm vold media_rw_data_file:{ dir file } ioctl {
101  FS_IOC_FSGETXATTR
102  FS_IOC_FSSETXATTR
103  FS_IOC_GETFLAGS
104  FS_IOC_SETFLAGS
105};
106
107# Allow mounting of storage devices
108allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
109
110# Manage per-user primary symlinks
111allow vold mnt_user_file:dir { create_dir_perms mounton };
112allow vold mnt_user_file:lnk_file create_file_perms;
113allow vold mnt_user_file:file create_file_perms;
114
115# Manage per-user pass_through primary symlinks
116allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
117allow vold mnt_pass_through_file:lnk_file create_file_perms;
118
119# Allow to create and mount expanded storage
120allow vold mnt_expand_file:dir { create_dir_perms mounton };
121allow vold apk_data_file:dir { create getattr setattr };
122allow vold shell_data_file:dir { create getattr setattr };
123
124# Allow to mount incremental file system on /data/incremental and create files
125allow vold apk_data_file:dir { mounton rw_dir_perms };
126# Allow to create and write files in /data/incremental
127allow vold apk_data_file:file rw_file_perms;
128# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
129allow vold apk_tmp_file:dir { mounton r_dir_perms };
130# Allow to read incremental control file and call selinux restorecon on it
131allow vold incremental_control_file:file { r_file_perms relabelto };
132
133allow vold tmpfs:filesystem { mount unmount };
134allow vold tmpfs:dir create_dir_perms;
135allow vold tmpfs:dir mounton;
136allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
137allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
138allow vold loop_control_device:chr_file rw_file_perms;
139allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
140allowxperm vold loop_device:blk_file ioctl {
141  LOOP_CLR_FD
142  LOOP_CTL_GET_FREE
143  LOOP_GET_STATUS64
144  LOOP_SET_FD
145  LOOP_SET_STATUS64
146};
147allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
148allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
149allow vold dm_device:chr_file rw_file_perms;
150allow vold dm_device:blk_file rw_file_perms;
151allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
152# For vold Process::killProcessesWithOpenFiles function.
153allow vold domain:dir r_dir_perms;
154allow vold domain:{ file lnk_file } r_file_perms;
155allow vold domain:process { signal sigkill };
156allow vold self:global_capability_class_set { sys_ptrace kill };
157
158allow vold kmsg_device:chr_file rw_file_perms;
159
160# Run fsck in the fsck domain.
161allow vold fsck_exec:file { r_file_perms execute };
162
163# Log fsck results
164allow vold fscklogs:dir rw_dir_perms;
165allow vold fscklogs:file create_file_perms;
166
167#
168# Rules to support encrypted fs support.
169#
170
171# Unmount and mount the fs.
172allow vold labeledfs:filesystem { mount unmount remount };
173
174# Access /efs/userdata_footer.
175# XXX Split into a separate type?
176allow vold efs_file:file rw_file_perms;
177
178# Create and mount on /data/tmp_mnt and management of expansion mounts
179allow vold {
180    system_data_file
181    system_data_root_file
182}:dir { create rw_dir_perms mounton setattr rmdir };
183allow vold system_data_file:lnk_file getattr;
184
185# Vold create users in /data/vendor_{ce,de}/[0-9]+
186allow vold vendor_data_file:dir create_dir_perms;
187
188# for secdiscard
189allow vold system_data_file:file read;
190
191# Set scheduling policy of kernel processes
192allow vold kernel:process setsched;
193
194# Property Service
195set_prop(vold, vold_prop)
196set_prop(vold, exported_vold_prop)
197set_prop(vold, exported2_vold_prop)
198set_prop(vold, powerctl_prop)
199set_prop(vold, ctl_fuse_prop)
200set_prop(vold, restorecon_prop)
201set_prop(vold, ota_prop)
202set_prop(vold, boottime_prop)
203set_prop(vold, boottime_public_prop)
204get_prop(vold, storage_config_prop)
205get_prop(vold, incremental_prop)
206
207# ASEC
208allow vold asec_image_file:file create_file_perms;
209allow vold asec_image_file:dir rw_dir_perms;
210allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
211allow vold asec_public_file:dir { relabelto setattr };
212allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
213allow vold asec_public_file:file { relabelto setattr };
214# restorecon files in asec containers created on 4.2 or earlier.
215allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
216allow vold unlabeled:file { r_file_perms setattr relabelfrom };
217
218# Access to FUSE control filesystem to hard-abort FUSE mounts
219allow vold fusectlfs:file rw_file_perms;
220allow vold fusectlfs:dir rw_dir_perms;
221
222# Handle wake locks (used for device encryption)
223wakelock_use(vold)
224
225# Allow vold to publish a binder service and make binder calls.
226binder_use(vold)
227add_service(vold, vold_service)
228
229# Allow vold to call into the system server so it can check permissions.
230binder_call(vold, system_server)
231allow vold permission_service:service_manager find;
232
233# talk to batteryservice
234binder_call(vold, healthd)
235
236# talk to keymaster
237hal_client_domain(vold, hal_keymaster)
238
239# talk to health storage HAL
240hal_client_domain(vold, hal_health_storage)
241
242# talk to bootloader HAL
243full_treble_only(`hal_client_domain(vold, hal_bootctl)')
244
245# Access userdata block device.
246allow vold userdata_block_device:blk_file rw_file_perms;
247allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
248
249# Access metadata block device used for encryption meta-data.
250allow vold metadata_block_device:blk_file rw_file_perms;
251
252# Allow vold to manipulate /data/unencrypted
253allow vold unencrypted_data_file:{ file } create_file_perms;
254allow vold unencrypted_data_file:dir create_dir_perms;
255
256# Write to /proc/sys/vm/drop_caches
257allow vold proc_drop_caches:file w_file_perms;
258
259# Give vold a place where only vold can store files; everyone else is off limits
260allow vold vold_data_file:dir create_dir_perms;
261allow vold vold_data_file:file create_file_perms;
262
263# And a similar place in the metadata partition
264allow vold vold_metadata_file:dir create_dir_perms;
265allow vold vold_metadata_file:file create_file_perms;
266
267# linux keyring configuration
268allow vold init:key { write search setattr };
269allow vold vold:key { write search setattr };
270
271# vold temporarily changes its priority when running benchmarks
272allow vold self:global_capability_class_set sys_nice;
273
274# vold needs to chroot into app namespaces to remount when runtime permissions change
275allow vold self:global_capability_class_set sys_chroot;
276allow vold storage_file:dir mounton;
277
278# For AppFuse.
279allow vold fuse_device:chr_file rw_file_perms;
280allow vold fuse:filesystem { relabelfrom };
281allow vold app_fusefs:filesystem { relabelfrom relabelto };
282allow vold app_fusefs:filesystem { mount unmount };
283allow vold app_fuse_file:dir rw_dir_perms;
284allow vold app_fuse_file:file { read write open getattr append };
285
286# MoveTask.cpp executes cp and rm
287allow vold toolbox_exec:file rx_file_perms;
288
289# Prepare profile dir for users.
290allow vold user_profile_data_file:dir create_dir_perms;
291
292# Raw writes to misc block device
293allow vold misc_block_device:blk_file w_file_perms;
294
295# vold might need to search or mount /mnt/vendor/*
296allow vold mnt_vendor_file:dir search;
297
298dontaudit vold self:global_capability_class_set sys_resource;
299
300# vold needs to know whether we're running a GSI.
301allow vold gsi_metadata_file:dir r_dir_perms;
302allow vold gsi_metadata_file:file r_file_perms;
303
304neverallow {
305    domain
306    -vold
307    -vold_prepare_subdirs
308} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
309
310neverallow {
311    domain
312    -init
313    -vold
314    -vold_prepare_subdirs
315} vold_data_file:dir *;
316
317neverallow {
318    domain
319    -init
320    -vold
321} vold_metadata_file:dir *;
322
323neverallow {
324    domain
325    -kernel
326    -vold
327    -vold_prepare_subdirs
328} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
329
330neverallow {
331    domain
332    -init
333    -vold
334    -vold_prepare_subdirs
335} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
336
337neverallow {
338    domain
339    -init
340    -kernel
341    -vold
342    -vold_prepare_subdirs
343} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
344
345neverallow { domain -vold -init } restorecon_prop:property_service set;
346
347neverallow {
348    domain
349    -system_server
350    -vdc
351    -vold
352    -update_verifier
353    -apexd
354} vold_service:service_manager find;
355
356neverallow vold {
357  domain
358  -hal_health_storage_server
359  -hal_keymaster_server
360  -system_suspend_server
361  -hal_bootctl_server
362  -healthd
363  -hwservicemanager
364  -iorapd_service
365  -servicemanager
366  -system_server
367  userdebug_or_eng(`-su')
368}:binder call;
369
370neverallow vold fsck_exec:file execute_no_trans;
371neverallow { domain -init } vold:process { transition dyntransition };
372neverallow vold *:process ptrace;
373neverallow vold *:rawip_socket *;
374