1# volume manager 2type vold, domain; 3type vold_exec, exec_type, file_type; 4 5init_daemon_domain(vold) 6 7typeattribute vold mlstrustedsubject; 8allow vold system_file:file x_file_perms; 9allow vold block_device:dir create_dir_perms; 10allow vold block_device:blk_file create_file_perms; 11allow vold device:dir write; 12allow vold devpts:chr_file rw_file_perms; 13allow vold rootfs:dir mounton; 14allow vold sdcard_type:dir mounton; 15allow vold sdcard_type:filesystem { mount remount unmount }; 16allow vold sdcard_type:dir create_dir_perms; 17allow vold sdcard_type:file create_file_perms; 18allow vold tmpfs:filesystem { mount unmount }; 19allow vold tmpfs:dir create_dir_perms; 20allow vold tmpfs:dir mounton; 21allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid }; 22allow vold self:netlink_kobject_uevent_socket create_socket_perms; 23allow vold app_data_file:dir search; 24allow vold app_data_file:file rw_file_perms; 25allow vold loop_device:blk_file rw_file_perms; 26allow vold dm_device:chr_file rw_file_perms; 27# For vold Process::killProcessesWithOpenFiles function. 28allow vold domain:dir r_dir_perms; 29allow vold domain:{ file lnk_file } r_file_perms; 30allow vold domain:process { signal sigkill }; 31allow vold self:capability { sys_ptrace kill }; 32 33# For blkid 34allow vold shell_exec:file rx_file_perms; 35 36# XXX Label sysfs files with a specific type? 37allow vold sysfs:file rw_file_perms; 38 39write_klog(vold) 40 41# Log fsck results 42allow vold fscklogs:dir rw_dir_perms; 43allow vold fscklogs:file create_file_perms; 44 45# 46# Rules to support encrypted fs support. 47# 48 49# Set property. 50unix_socket_connect(vold, property, init) 51 52# Unmount and mount the fs. 53allow vold labeledfs:filesystem { mount unmount remount }; 54 55# Access /efs/userdata_footer. 56# XXX Split into a separate type? 57allow vold efs_file:file rw_file_perms; 58 59# Create and mount on /data/tmp_mnt. 60allow vold system_data_file:dir { create rw_dir_perms mounton }; 61 62# Set scheduling policy of kernel processes 63allow vold kernel:process setsched; 64 65# Property Service 66allow vold vold_prop:property_service set; 67allow vold powerctl_prop:property_service set; 68allow vold ctl_fuse_prop:property_service set; 69 70# ASEC 71allow vold asec_image_file:file create_file_perms; 72allow vold asec_image_file:dir rw_dir_perms; 73security_access_policy(vold) 74allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto }; 75allow vold asec_public_file:dir { relabelto setattr }; 76allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; 77allow vold asec_public_file:file { relabelto setattr }; 78# restorecon files in asec containers created on 4.2 or earlier. 79allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; 80allow vold unlabeled:file { r_file_perms setattr relabelfrom }; 81 82# Handle wake locks (used for device encryption) 83wakelock_use(vold) 84 85# talk to batteryservice 86binder_use(vold) 87binder_call(vold, healthd) 88 89# talk to keymaster 90allow vold tee_device:chr_file rw_file_perms; 91 92