1# volume manager
2type vold, domain;
3type vold_exec, exec_type, file_type, system_file_type;
4
5# Read already opened /cache files.
6allow vold cache_file:dir r_dir_perms;
7allow vold cache_file:file { getattr read };
8allow vold cache_file:lnk_file r_file_perms;
9
10r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
11# XXX Label sysfs files with a specific type?
12allow vold {
13  sysfs # writing to /sys/*/uevent during coldboot.
14  sysfs_devices_block
15  sysfs_dm
16  sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
17  sysfs_usb
18  sysfs_zram_uevent
19  sysfs_fs_f2fs
20}:file w_file_perms;
21
22r_dir_file(vold, rootfs)
23r_dir_file(vold, metadata_file)
24allow vold {
25  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
26  proc_bootconfig
27  proc_cmdline
28  proc_drop_caches
29  proc_filesystems
30  proc_meminfo
31  proc_mounts
32}:file r_file_perms;
33
34#Get file contexts
35allow vold file_contexts_file:file r_file_perms;
36
37# Allow us to jump into execution domains of above tools
38allow vold self:process setexec;
39
40# For formatting adoptable storage devices
41allow vold e2fs_exec:file rx_file_perms;
42
43# Run fstrim on mounted partitions
44# allowxperm still requires the ioctl permission for the individual type
45allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
46
47# Get/set file-based encryption policies on dirs in /data and adoptable storage,
48# and add/remove file-based encryption keys.
49allowxperm vold data_file_type:dir ioctl {
50  FS_IOC_GET_ENCRYPTION_POLICY
51  FS_IOC_SET_ENCRYPTION_POLICY
52  FS_IOC_ADD_ENCRYPTION_KEY
53  FS_IOC_REMOVE_ENCRYPTION_KEY
54};
55
56# Only vold and init should ever set file-based encryption policies.
57neverallowxperm {
58  domain
59  -vold
60  -init
61  -vendor_init
62} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
63
64# Only vold should ever add/remove file-based encryption keys.
65neverallowxperm {
66  domain
67  -vold
68} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
69
70# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
71# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
72# location of the file's blocks on the raw block device to erase.
73allowxperm vold {
74  vold_data_file
75  vold_metadata_file
76}:file ioctl {
77  F2FS_IOC_SEC_TRIM_FILE
78  FS_IOC_FIEMAP
79};
80
81typeattribute vold mlstrustedsubject;
82allow vold self:process setfscreate;
83allow vold system_file:file x_file_perms;
84not_full_treble(`allow vold vendor_file:file x_file_perms;')
85allow vold block_device:dir create_dir_perms;
86allow vold device:dir write;
87allow vold devpts:chr_file rw_file_perms;
88allow vold rootfs:dir mounton;
89allow vold sdcard_type:dir mounton; # TODO: deprecated in M
90allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
91allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
92allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
93
94# Manage locations where storage is mounted
95allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
96allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
97
98# Access to storage that backs emulated FUSE daemons for migration optimization
99allow vold media_rw_data_file:dir create_dir_perms;
100allow vold media_rw_data_file:file create_file_perms;
101# Allow mounting (lower filesystem) on parts of media for performance
102allow vold media_rw_data_file:dir mounton;
103
104# Allow setting extended attributes (for project quota IDs) on files and dirs
105# and to enable project ID inheritance through FS_IOC_SETFLAGS
106allowxperm vold media_rw_data_file:{ dir file } ioctl {
107  FS_IOC_FSGETXATTR
108  FS_IOC_FSSETXATTR
109  FS_IOC_GETFLAGS
110  FS_IOC_SETFLAGS
111};
112
113# Allow mounting of storage devices
114allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
115
116# Manage per-user primary symlinks
117allow vold mnt_user_file:dir { create_dir_perms mounton };
118allow vold mnt_user_file:lnk_file create_file_perms;
119allow vold mnt_user_file:file create_file_perms;
120
121# Manage per-user pass_through primary symlinks
122allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
123allow vold mnt_pass_through_file:lnk_file create_file_perms;
124
125# Allow to create and mount expanded storage
126allow vold mnt_expand_file:dir { create_dir_perms mounton };
127allow vold apk_data_file:dir { create getattr setattr };
128allow vold shell_data_file:dir { create getattr setattr };
129
130# Allow to mount incremental file system on /data/incremental and create files
131allow vold apk_data_file:dir { mounton rw_dir_perms };
132# Allow to create and write files in /data/incremental
133allow vold apk_data_file:file { rw_file_perms unlink };
134# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
135allow vold apk_tmp_file:dir { mounton r_dir_perms };
136# Allow to read incremental control file and call selinux restorecon on it
137allow vold incremental_control_file:file { r_file_perms relabelto };
138
139allow vold tmpfs:filesystem { mount unmount };
140allow vold tmpfs:dir create_dir_perms;
141allow vold tmpfs:dir mounton;
142allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
143allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
144allow vold loop_control_device:chr_file rw_file_perms;
145allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
146allowxperm vold loop_device:blk_file ioctl {
147  LOOP_CLR_FD
148  LOOP_CTL_GET_FREE
149  LOOP_GET_STATUS64
150  LOOP_SET_FD
151  LOOP_SET_STATUS64
152};
153allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
154allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
155allow vold dm_device:chr_file rw_file_perms;
156allow vold dm_device:blk_file rw_file_perms;
157allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
158# For vold Process::killProcessesWithOpenFiles function.
159allow vold domain:dir r_dir_perms;
160allow vold domain:{ file lnk_file } r_file_perms;
161allow vold domain:process { signal sigkill };
162allow vold self:global_capability_class_set { sys_ptrace kill };
163
164allow vold kmsg_device:chr_file rw_file_perms;
165
166# Run fsck in the fsck domain.
167allow vold fsck_exec:file { r_file_perms execute };
168
169# Log fsck results
170allow vold fscklogs:dir rw_dir_perms;
171allow vold fscklogs:file create_file_perms;
172
173#
174# Rules to support encrypted fs support.
175#
176
177# Unmount and mount the fs.
178allow vold labeledfs:filesystem { mount unmount remount };
179
180# Access /efs/userdata_footer.
181# XXX Split into a separate type?
182allow vold efs_file:file rw_file_perms;
183
184# Create and mount on /data/tmp_mnt and management of expansion mounts
185allow vold {
186    system_data_file
187    system_data_root_file
188}:dir { create rw_dir_perms mounton setattr rmdir };
189allow vold system_data_file:lnk_file getattr;
190
191# Vold create users in /data/vendor_{ce,de}/[0-9]+
192allow vold vendor_data_file:dir create_dir_perms;
193
194# for secdiscard
195allow vold system_data_file:file read;
196
197# Set scheduling policy of kernel processes
198allow vold kernel:process setsched;
199
200# ASEC
201allow vold asec_image_file:file create_file_perms;
202allow vold asec_image_file:dir rw_dir_perms;
203allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
204allow vold asec_public_file:dir { relabelto setattr };
205allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
206allow vold asec_public_file:file { relabelto setattr };
207# restorecon files in asec containers created on 4.2 or earlier.
208allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
209allow vold unlabeled:file { r_file_perms setattr relabelfrom };
210
211# Access to FUSE control filesystem to hard-abort FUSE mounts
212allow vold fusectlfs:file rw_file_perms;
213allow vold fusectlfs:dir rw_dir_perms;
214
215# Handle wake locks (used for device encryption)
216wakelock_use(vold)
217
218# Allow vold to publish a binder service and make binder calls.
219binder_use(vold)
220add_service(vold, vold_service)
221
222# Allow vold to call into the system server so it can check permissions.
223binder_call(vold, system_server)
224allow vold permission_service:service_manager find;
225
226# talk to batteryservice
227binder_call(vold, healthd)
228
229# talk to keymaster
230hal_client_domain(vold, hal_keymaster)
231
232# talk to health storage HAL
233hal_client_domain(vold, hal_health_storage)
234
235# talk to bootloader HAL
236full_treble_only(`hal_client_domain(vold, hal_bootctl)')
237
238# Access userdata block device.
239allow vold userdata_block_device:blk_file rw_file_perms;
240allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
241
242# Access metadata block device used for encryption meta-data.
243allow vold metadata_block_device:blk_file rw_file_perms;
244allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
245
246# Allow vold to manipulate /data/unencrypted
247allow vold unencrypted_data_file:{ file } create_file_perms;
248allow vold unencrypted_data_file:dir create_dir_perms;
249
250# Write to /proc/sys/vm/drop_caches
251allow vold proc_drop_caches:file w_file_perms;
252
253# Give vold a place where only vold can store files; everyone else is off limits
254allow vold vold_data_file:dir create_dir_perms;
255allow vold vold_data_file:file create_file_perms;
256
257# And a similar place in the metadata partition
258allow vold vold_metadata_file:dir create_dir_perms;
259allow vold vold_metadata_file:file create_file_perms;
260
261# linux keyring configuration
262allow vold init:key { write search setattr };
263allow vold vold:key { write search setattr };
264
265# vold temporarily changes its priority when running benchmarks
266allow vold self:global_capability_class_set sys_nice;
267
268# vold needs to chroot into app namespaces to remount when runtime permissions change
269allow vold self:global_capability_class_set sys_chroot;
270allow vold storage_file:dir mounton;
271
272# For AppFuse.
273allow vold fuse_device:chr_file rw_file_perms;
274allow vold fuse:filesystem { relabelfrom };
275allow vold app_fusefs:filesystem { relabelfrom relabelto };
276allow vold app_fusefs:filesystem { mount unmount };
277allow vold app_fuse_file:dir rw_dir_perms;
278allow vold app_fuse_file:file { read write open getattr append };
279
280# MoveTask.cpp executes cp and rm
281allow vold toolbox_exec:file rx_file_perms;
282
283# Prepare profile dir for users.
284allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
285
286# Raw writes to misc block device
287allow vold misc_block_device:blk_file w_file_perms;
288
289# vold might need to search or mount /mnt/vendor/*
290allow vold mnt_vendor_file:dir search;
291
292dontaudit vold self:global_capability_class_set sys_resource;
293
294# Allow ReadDefaultFstab().
295read_fstab(vold)
296
297# vold might need to search loopback apex files
298allow vold vendor_apex_file:file r_file_perms;
299
300neverallow {
301    domain
302    -vold
303    -vold_prepare_subdirs
304} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
305
306neverallow {
307    domain
308    -init
309    -vold
310    -vold_prepare_subdirs
311} vold_data_file:dir *;
312
313neverallow {
314    domain
315    -init
316    -vold
317} vold_metadata_file:dir *;
318
319neverallow {
320    domain
321    -kernel
322    -vold
323    -vold_prepare_subdirs
324} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
325
326neverallow {
327    domain
328    -init
329    -vold
330    -vold_prepare_subdirs
331} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
332
333neverallow {
334    domain
335    -init
336    -kernel
337    -vold
338    -vold_prepare_subdirs
339} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
340
341neverallow { domain -vold -init } restorecon_prop:property_service set;
342
343neverallow vold {
344  domain
345  -hal_health_storage_server
346  -hal_keymaster_server
347  -system_suspend_server
348  -hal_bootctl_server
349  -healthd
350  -hwservicemanager
351  -iorapd_service
352  -keystore
353  -servicemanager
354  -system_server
355  userdebug_or_eng(`-su')
356}:binder call;
357
358neverallow vold fsck_exec:file execute_no_trans;
359neverallow { domain -init } vold:process { transition dyntransition };
360neverallow vold *:process ptrace;
361neverallow vold *:rawip_socket *;
362