platform_system_sepolicy/vold.te

80 lines
2.5 KiB
Text
Raw Normal View History

2012-01-04 18:33:27 +01:00
# volume manager
type vold, domain;
type vold_exec, exec_type, file_type;
init_daemon_domain(vold)
typeattribute vold mlstrustedsubject;
allow vold system_file:file x_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold block_device:blk_file create_file_perms;
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
allow vold rootfs:dir mounton;
allow vold sdcard_type:dir mounton;
allow vold sdcard_type:filesystem { mount remount unmount };
allow vold sdcard_type:dir create_dir_perms;
allow vold sdcard_type:file create_file_perms;
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket *;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
allow vold loop_device:blk_file rw_file_perms;
allow vold dm_device:chr_file rw_file_perms;
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
allow vold domain:process { signal sigkill };
allow vold self:capability { sys_ptrace kill };
# For blkid
allow vold shell_exec:file rx_file_perms;
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;
write_klog(vold)
vold: allow wakelocks, fsck logs When encrypting a device, vold tries to acquire a wake lock, to prevent the device from sleeping. Add an allow rule. After booting with a freshly encrypted device, fsck logs data to /dev/fscklogs/log . Add an allow rule. Addresses the following denials. wake lock: <5>[ 372.401015] type=1400 audit(1387488823.195:6): avc: denied { read write } for pid=143 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file <5>[ 127.274556] type=1400 audit(1387494536.080:8): avc: denied { open } for pid=140 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file fsck logging: <5>[ 44.759122] type=1400 audit(1387489522.460:6): avc: denied { search } for pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir <5>[ 28.559964] type=1400 audit(1387495221.265:6): avc: denied { write } for pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir <5>[ 28.560081] type=1400 audit(1387495221.265:7): avc: denied { add_name } for pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir <5>[ 28.560244] type=1400 audit(1387495221.265:8): avc: denied { create } for pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file <5>[ 28.560383] type=1400 audit(1387495221.265:9): avc: denied { write open } for pid=132 comm="vold" name="log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file <5>[ 28.582520] type=1400 audit(1387495221.285:10): avc: denied { getattr } for pid=132 comm="vold" path="/dev/fscklogs/log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file Change-Id: I09fbe73c9d4955578c16fece4f3b84269eed78b5
2013-12-20 00:23:43 +01:00
# Log fsck results
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
#
# Rules to support encrypted fs support.
#
# Set property.
unix_socket_connect(vold, property, init)
# Unmount and mount the fs.
allow vold labeledfs:filesystem { mount unmount remount };
# Access /efs/userdata_footer.
# XXX Split into a separate type?
allow vold efs_file:file rw_file_perms;
# Create and mount on /data/tmp_mnt.
allow vold system_data_file:dir { create rw_dir_perms mounton };
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
# Property Service
allow vold vold_prop:property_service set;
allow vold powerctl_prop:property_service set;
allow vold ctl_default_prop:property_service set;
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
security_access_policy(vold)
allow vold asec_apk_file:dir { rw_dir_perms setattr };
allow vold asec_apk_file:file { r_file_perms setattr };
vold: allow wakelocks, fsck logs When encrypting a device, vold tries to acquire a wake lock, to prevent the device from sleeping. Add an allow rule. After booting with a freshly encrypted device, fsck logs data to /dev/fscklogs/log . Add an allow rule. Addresses the following denials. wake lock: <5>[ 372.401015] type=1400 audit(1387488823.195:6): avc: denied { read write } for pid=143 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file <5>[ 127.274556] type=1400 audit(1387494536.080:8): avc: denied { open } for pid=140 comm="vold" name="wake_lock" dev="sysfs" ino=69 scontext=u:r:vold:s0 tcontext=u:object_r:sysfs_wake_lock:s0 tclass=file fsck logging: <5>[ 44.759122] type=1400 audit(1387489522.460:6): avc: denied { search } for pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir <5>[ 28.559964] type=1400 audit(1387495221.265:6): avc: denied { write } for pid=132 comm="vold" name="fscklogs" dev="tmpfs" ino=3216 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir <5>[ 28.560081] type=1400 audit(1387495221.265:7): avc: denied { add_name } for pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=dir <5>[ 28.560244] type=1400 audit(1387495221.265:8): avc: denied { create } for pid=132 comm="vold" name="log" scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file <5>[ 28.560383] type=1400 audit(1387495221.265:9): avc: denied { write open } for pid=132 comm="vold" name="log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file <5>[ 28.582520] type=1400 audit(1387495221.285:10): avc: denied { getattr } for pid=132 comm="vold" path="/dev/fscklogs/log" dev="tmpfs" ino=5898 scontext=u:r:vold:s0 tcontext=u:object_r:fscklogs:s0 tclass=file Change-Id: I09fbe73c9d4955578c16fece4f3b84269eed78b5
2013-12-20 00:23:43 +01:00
# Handle wake locks (used for device encryption)
allow vold sysfs_wake_lock:file rw_file_perms;
allow vold self:capability2 block_suspend;