2012-01-04 18:33:27 +01:00
|
|
|
# volume manager
|
2017-05-15 22:19:03 +02:00
|
|
|
type vold, domain;
|
2012-01-04 18:33:27 +01:00
|
|
|
type vold_exec, exec_type, file_type;
|
|
|
|
|
2016-01-27 21:24:26 +01:00
|
|
|
# Read already opened /cache files.
|
|
|
|
allow vold cache_file:dir r_dir_perms;
|
|
|
|
allow vold cache_file:file { getattr read };
|
|
|
|
allow vold cache_file:lnk_file r_file_perms;
|
|
|
|
|
|
|
|
# Read access to pseudo filesystems.
|
Start the process of locking down proc/net
Files in /proc/net leak information. This change is the first step in
determining which files apps may use, whitelisting benign access, and
otherwise removing access while providing safe alternative APIs.
To that end, this change:
* Introduces the proc_net_type attribute which will assigned to any
new SELinux types in /proc/net to avoid removing access to privileged
processes. These processes may be evaluated later, but are lower
priority than apps.
* Labels /proc/net/{tcp,tcp6,udp,udp6} as proc_net_vpn due to existing
use by VPN apps. This may be replaced by an alternative API.
* Audits all other proc/net access for apps.
* Audits proc/net access for other processes which are currently
granted broad read access to /proc/net but should not be including
storaged, zygote, clatd, logd, preopt2cachename and vold.
Bug: 9496886
Bug: 68016944
Test: Boot Taimen-userdebug. On both wifi and cellular: stream youtube
navigate maps, send text message, make voice call, make video call.
Verify no avc "granted" messages in the logs.
Test: A few VPN apps including "VPN Monster", "Turbo VPN", and
"Freighter". Verify no logspam with the current setup.
Test: atest CtsNativeNetTestCases
Test: atest netd_integration_test
Test: atest QtaguidPermissionTest
Test: atest FileSystemPermissionTest
Change-Id: I7e49f796a25cf68bc698c6c9206e24af3ae11457
Merged-In: I7e49f796a25cf68bc698c6c9206e24af3ae11457
(cherry picked from commit 087318957f26e921d62f2e234fc14bff3c59030e)
2018-04-10 21:47:48 +02:00
|
|
|
r_dir_file(vold, proc_net_type)
|
|
|
|
userdebug_or_eng(`
|
|
|
|
auditallow vold proc_net_type:{ dir file lnk_file } { getattr open read };
|
|
|
|
')
|
|
|
|
|
2018-07-12 20:44:31 +02:00
|
|
|
r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
|
2016-09-10 01:27:17 +02:00
|
|
|
# XXX Label sysfs files with a specific type?
|
2018-01-23 20:37:14 +01:00
|
|
|
allow vold sysfs:file w_file_perms; # writing to /sys/*/uevent during coldboot.
|
2017-10-05 22:50:07 +02:00
|
|
|
allow vold sysfs_dm:file w_file_perms;
|
2016-09-10 01:27:17 +02:00
|
|
|
allow vold sysfs_usb:file w_file_perms;
|
|
|
|
allow vold sysfs_zram_uevent:file w_file_perms;
|
|
|
|
|
2016-01-27 21:24:26 +01:00
|
|
|
r_dir_file(vold, rootfs)
|
2018-04-20 20:14:49 +02:00
|
|
|
r_dir_file(vold, metadata_file)
|
2017-09-26 21:58:29 +02:00
|
|
|
allow vold {
|
2017-10-04 23:12:29 +02:00
|
|
|
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
|
2017-09-26 21:58:29 +02:00
|
|
|
proc_cmdline
|
|
|
|
proc_drop_caches
|
|
|
|
proc_filesystems
|
|
|
|
proc_meminfo
|
|
|
|
proc_mounts
|
|
|
|
}:file r_file_perms;
|
2016-01-27 21:24:26 +01:00
|
|
|
|
2017-03-24 23:02:13 +01:00
|
|
|
#Get file contexts
|
|
|
|
allow vold file_contexts_file:file r_file_perms;
|
|
|
|
|
2015-04-01 19:15:51 +02:00
|
|
|
# Allow us to jump into execution domains of above tools
|
|
|
|
allow vold self:process setexec;
|
|
|
|
|
|
|
|
# For sgdisk launched through popen()
|
|
|
|
allow vold shell_exec:file rx_file_perms;
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
# For formatting adoptable storage devices
|
|
|
|
allow vold e2fs_exec:file rx_file_perms;
|
|
|
|
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
typeattribute vold mlstrustedsubject;
|
2014-09-30 17:37:51 +02:00
|
|
|
allow vold self:process setfscreate;
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
allow vold system_file:file x_file_perms;
|
2017-04-14 06:58:12 +02:00
|
|
|
not_full_treble(`allow vold vendor_file:file x_file_perms;')
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
allow vold block_device:dir create_dir_perms;
|
|
|
|
allow vold device:dir write;
|
|
|
|
allow vold devpts:chr_file rw_file_perms;
|
|
|
|
allow vold rootfs:dir mounton;
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
allow vold sdcard_type:dir mounton; # TODO: deprecated in M
|
|
|
|
allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
|
|
|
|
allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
|
|
|
|
allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
|
|
|
|
|
|
|
|
# Manage locations where storage is mounted
|
|
|
|
allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
|
|
|
|
allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
|
|
|
|
|
2015-04-25 00:19:22 +02:00
|
|
|
# Access to storage that backs emulated FUSE daemons for migration optimization
|
|
|
|
allow vold media_rw_data_file:dir create_dir_perms;
|
|
|
|
allow vold media_rw_data_file:file create_file_perms;
|
|
|
|
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
# Allow mounting of storage devices
|
|
|
|
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
|
|
|
|
|
|
|
|
# Manage per-user primary symlinks
|
2018-08-02 21:35:51 +02:00
|
|
|
allow vold mnt_user_file:dir { create_dir_perms mounton };
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
allow vold mnt_user_file:lnk_file create_file_perms;
|
|
|
|
|
2015-04-07 01:21:54 +02:00
|
|
|
# Allow to create and mount expanded storage
|
|
|
|
allow vold mnt_expand_file:dir { create_dir_perms mounton };
|
|
|
|
allow vold apk_data_file:dir { create getattr setattr };
|
|
|
|
allow vold shell_data_file:dir { create getattr setattr };
|
|
|
|
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
allow vold tmpfs:filesystem { mount unmount };
|
|
|
|
allow vold tmpfs:dir create_dir_perms;
|
|
|
|
allow vold tmpfs:dir mounton;
|
2017-11-09 23:51:26 +01:00
|
|
|
allow vold self:global_capability_class_set { net_admin dac_override mknod sys_admin chown fowner fsetid };
|
2016-05-17 06:12:17 +02:00
|
|
|
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
2018-05-29 19:41:36 +02:00
|
|
|
# TODO(b/80418809): remove direct access to private app data
|
2018-08-03 00:54:23 +02:00
|
|
|
userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:dir search;')
|
|
|
|
allow vold { app_data_file privapp_data_file }:dir search;
|
|
|
|
userdebug_or_eng(`auditallow vold { app_data_file privapp_data_file }:file rw_file_perms;')
|
|
|
|
allow vold { app_data_file privapp_data_file }:file rw_file_perms;
|
2017-03-26 05:38:17 +02:00
|
|
|
allow vold loop_control_device:chr_file rw_file_perms;
|
2017-01-20 23:26:05 +01:00
|
|
|
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
|
|
|
|
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
allow vold dm_device:chr_file rw_file_perms;
|
2014-09-30 17:37:51 +02:00
|
|
|
allow vold dm_device:blk_file rw_file_perms;
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
# For vold Process::killProcessesWithOpenFiles function.
|
|
|
|
allow vold domain:dir r_dir_perms;
|
|
|
|
allow vold domain:{ file lnk_file } r_file_perms;
|
|
|
|
allow vold domain:process { signal sigkill };
|
2017-11-09 23:51:26 +01:00
|
|
|
allow vold self:global_capability_class_set { sys_ptrace kill };
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
|
Allow /dev/klog access, drop mknod and __null__ access
Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.
Addresses the following denials:
avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.
Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.
Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.
Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
2015-06-06 16:42:37 +02:00
|
|
|
allow vold kmsg_device:chr_file rw_file_perms;
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
|
2016-01-22 00:32:08 +01:00
|
|
|
# Run fsck in the fsck domain.
|
|
|
|
allow vold fsck_exec:file { r_file_perms execute };
|
2014-09-30 19:09:55 +02:00
|
|
|
|
2013-12-20 00:23:43 +01:00
|
|
|
# Log fsck results
|
|
|
|
allow vold fscklogs:dir rw_dir_perms;
|
|
|
|
allow vold fscklogs:file create_file_perms;
|
|
|
|
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
#
|
|
|
|
# Rules to support encrypted fs support.
|
|
|
|
#
|
|
|
|
|
|
|
|
# Unmount and mount the fs.
|
2016-12-14 00:37:33 +01:00
|
|
|
allow vold labeledfs:filesystem { mount unmount };
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
|
|
|
|
# Access /efs/userdata_footer.
|
|
|
|
# XXX Split into a separate type?
|
|
|
|
allow vold efs_file:file rw_file_perms;
|
|
|
|
|
2015-04-07 01:21:54 +02:00
|
|
|
# Create and mount on /data/tmp_mnt and management of expansion mounts
|
|
|
|
allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
|
2017-07-12 07:00:08 +02:00
|
|
|
allow vold system_data_file:lnk_file getattr;
|
|
|
|
|
2018-02-08 01:29:06 +01:00
|
|
|
# Vold create users in /data/vendor_{ce,de}/[0-9]+
|
|
|
|
allow vold vendor_data_file:dir create_dir_perms;
|
|
|
|
|
2017-07-12 07:00:08 +02:00
|
|
|
# for secdiscard
|
|
|
|
allow vold system_data_file:file read;
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
|
|
|
|
# Set scheduling policy of kernel processes
|
|
|
|
allow vold kernel:process setsched;
|
|
|
|
|
|
|
|
# Property Service
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(vold, vold_prop)
|
2017-10-19 09:54:49 +02:00
|
|
|
set_prop(vold, exported_vold_prop)
|
|
|
|
set_prop(vold, exported2_vold_prop)
|
2015-05-05 03:22:45 +02:00
|
|
|
set_prop(vold, powerctl_prop)
|
|
|
|
set_prop(vold, ctl_fuse_prop)
|
2015-06-09 20:01:04 +02:00
|
|
|
set_prop(vold, restorecon_prop)
|
Enable SELinux on vold
This change enables SELinux security enforcement on vold.
For the vold.te file ONLY, this change is conceptually a revert of
77d4731e9d30c8971e076e2469d6957619019921 and
50e37b93ac97631dcac6961285b92af5026557af, with the following
additional changes:
1) Removal of "allow vold proc:file write;" and
"allow vold self:capability { sys_boot };". As of system/vold
change adfba3626e76c1931649634275d241b226cd1b9a, vold no longer
performs it's own reboots, so these capabilities are no longer
needed.
2) Addition of the powerctl property, which vold contacts to
tell init to reboot.
3) Removal of "allow vold kernel:system module_request;". As of
CTS commit f2cfdf5c057140d9442fcfeb4e4a648e8258b659, Android
devices no longer ship with loadable modules, hence we don't
require this rule.
4) Removal of "fsetid" from "self:capability". Any setuid / setgid
bits SHOULD be cleared if vold is able to change the permissions
of files. IMHO, it was a mistake to ever include this capability in
the first place.
Testing: As much as possible, I've tested filesystem related
functionality, including factory reset and device encryption.
I wasn't able to test fstrim functionality, which is a fairly
new feature. I didn't see any policy denials in dmesg. It's quite
possible I've missed something. If we experience problems, I
happy to roll back this change.
Bug: 9629920
Change-Id: I683afa0dffe9f28952287bfdb7ee4e0423c2e97a
2013-06-29 05:15:37 +02:00
|
|
|
|
|
|
|
# ASEC
|
|
|
|
allow vold asec_image_file:file create_file_perms;
|
|
|
|
allow vold asec_image_file:dir rw_dir_perms;
|
Updated policy for external storage.
An upcoming platform release is redesigning how external storage
works. At a high level, vold is taking on a more active role in
managing devices that dynamically appear.
This change also creates further restricted domains for tools doing
low-level access of external storage devices, including sgdisk
and blkid. It also extends sdcardd to be launchable by vold, since
launching by init will eventually go away.
For compatibility, rules required to keep AOSP builds working are
marked with "TODO" to eventually remove.
Slightly relax system_server external storage rules to allow calls
like statfs(). Still neverallow open file descriptors, since they
can cause kernel to kill us.
Here are the relevant violations that this CL is designed to allow:
avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket
avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file
avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir
avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir
avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir
avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir
avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd
Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
|
|
|
allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
|
2014-02-04 17:36:41 +01:00
|
|
|
allow vold asec_public_file:dir { relabelto setattr };
|
2014-05-27 16:56:24 +02:00
|
|
|
allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
|
2014-02-04 17:36:41 +01:00
|
|
|
allow vold asec_public_file:file { relabelto setattr };
|
2014-05-27 16:56:24 +02:00
|
|
|
# restorecon files in asec containers created on 4.2 or earlier.
|
|
|
|
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
|
|
|
|
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
|
2013-12-20 00:23:43 +01:00
|
|
|
|
|
|
|
# Handle wake locks (used for device encryption)
|
2014-05-23 22:33:32 +02:00
|
|
|
wakelock_use(vold)
|
2014-03-19 22:41:00 +01:00
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
# Allow vold to publish a binder service and make binder calls.
|
2014-03-19 22:41:00 +01:00
|
|
|
binder_use(vold)
|
2017-09-26 21:58:29 +02:00
|
|
|
add_service(vold, vold_service)
|
|
|
|
|
|
|
|
# Allow vold to call into the system server so it can check permissions.
|
|
|
|
binder_call(vold, system_server)
|
|
|
|
allow vold permission_service:service_manager find;
|
|
|
|
|
|
|
|
# talk to batteryservice
|
2014-03-19 22:41:00 +01:00
|
|
|
binder_call(vold, healthd)
|
2014-04-14 21:05:43 +02:00
|
|
|
|
|
|
|
# talk to keymaster
|
2017-02-23 04:48:17 +01:00
|
|
|
hal_client_domain(vold, hal_keymaster)
|
2014-04-14 21:05:43 +02:00
|
|
|
|
2014-09-11 14:50:04 +02:00
|
|
|
# Access userdata block device.
|
|
|
|
allow vold userdata_block_device:blk_file rw_file_perms;
|
2014-09-30 17:37:51 +02:00
|
|
|
|
|
|
|
# Access metadata block device used for encryption meta-data.
|
|
|
|
allow vold metadata_block_device:blk_file rw_file_perms;
|
2015-03-11 23:44:14 +01:00
|
|
|
|
2015-04-29 00:06:29 +02:00
|
|
|
# Allow vold to manipulate /data/unencrypted
|
|
|
|
allow vold unencrypted_data_file:{ file } create_file_perms;
|
2015-03-11 23:44:14 +01:00
|
|
|
allow vold unencrypted_data_file:dir create_dir_perms;
|
2015-04-01 00:03:13 +02:00
|
|
|
|
2015-05-15 05:55:31 +02:00
|
|
|
# Write to /proc/sys/vm/drop_caches
|
|
|
|
allow vold proc_drop_caches:file w_file_perms;
|
|
|
|
|
2015-04-01 00:03:13 +02:00
|
|
|
# Give vold a place where only vold can store files; everyone else is off limits
|
2015-05-15 05:55:31 +02:00
|
|
|
allow vold vold_data_file:dir create_dir_perms;
|
2015-04-01 00:03:13 +02:00
|
|
|
allow vold vold_data_file:file create_file_perms;
|
|
|
|
|
2018-02-01 19:15:34 +01:00
|
|
|
# And a similar place in the metadata partition
|
|
|
|
allow vold vold_metadata_file:dir create_dir_perms;
|
|
|
|
allow vold vold_metadata_file:file create_file_perms;
|
|
|
|
|
2015-04-29 00:06:29 +02:00
|
|
|
# linux keyring configuration
|
|
|
|
allow vold init:key { write search setattr };
|
|
|
|
allow vold vold:key { write search setattr };
|
|
|
|
|
2015-06-11 22:00:30 +02:00
|
|
|
# vold temporarily changes its priority when running benchmarks
|
2017-11-09 23:51:26 +01:00
|
|
|
allow vold self:global_capability_class_set sys_nice;
|
2015-06-11 22:00:30 +02:00
|
|
|
|
2015-06-26 01:13:59 +02:00
|
|
|
# vold needs to chroot into app namespaces to remount when runtime permissions change
|
2017-11-09 23:51:26 +01:00
|
|
|
allow vold self:global_capability_class_set sys_chroot;
|
2015-06-26 01:13:59 +02:00
|
|
|
allow vold storage_file:dir mounton;
|
|
|
|
|
2015-12-02 05:43:46 +01:00
|
|
|
# For AppFuse.
|
|
|
|
allow vold fuse_device:chr_file rw_file_perms;
|
2016-01-28 07:48:39 +01:00
|
|
|
allow vold fuse:filesystem { relabelfrom };
|
|
|
|
allow vold app_fusefs:filesystem { relabelfrom relabelto };
|
|
|
|
allow vold app_fusefs:filesystem { mount unmount };
|
2015-12-02 05:43:46 +01:00
|
|
|
|
2016-01-21 18:46:58 +01:00
|
|
|
# MoveTask.cpp executes cp and rm
|
|
|
|
allow vold toolbox_exec:file rx_file_perms;
|
|
|
|
|
2016-02-01 20:28:39 +01:00
|
|
|
# Prepare profile dir for users.
|
|
|
|
allow vold user_profile_data_file:dir create_dir_perms;
|
|
|
|
|
2016-04-07 00:53:09 +02:00
|
|
|
# Raw writes to misc block device
|
|
|
|
allow vold misc_block_device:blk_file w_file_perms;
|
|
|
|
|
2018-07-13 17:34:48 +02:00
|
|
|
# vold might need to search or mount /mnt/vendor/*
|
|
|
|
allow vold mnt_vendor_file:dir search;
|
|
|
|
|
2018-02-01 19:15:34 +01:00
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-vold
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
} vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vold
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
} vold_data_file:dir *;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vendor_init
|
|
|
|
-vold
|
|
|
|
} vold_metadata_file:dir *;
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-kernel
|
|
|
|
-vold
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-vold
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
|
|
|
|
|
|
|
|
neverallow {
|
|
|
|
domain
|
|
|
|
-init
|
|
|
|
-kernel
|
2018-05-14 22:08:46 +02:00
|
|
|
-vendor_init
|
2018-02-01 19:15:34 +01:00
|
|
|
-vold
|
|
|
|
-vold_prepare_subdirs
|
|
|
|
} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
|
|
|
|
|
2015-06-09 20:01:04 +02:00
|
|
|
neverallow { domain -vold -init } restorecon_prop:property_service set;
|
2016-01-22 00:32:08 +01:00
|
|
|
|
2017-09-26 21:58:29 +02:00
|
|
|
# Only system_server and vdc can interact with vold over binder
|
|
|
|
neverallow { domain -system_server -vdc -vold } vold_service:service_manager find;
|
|
|
|
neverallow vold {
|
|
|
|
domain
|
2017-11-21 06:43:25 +01:00
|
|
|
-hal_keymaster_server
|
2017-09-26 21:58:29 +02:00
|
|
|
-healthd
|
|
|
|
-hwservicemanager
|
|
|
|
-servicemanager
|
|
|
|
-system_server
|
|
|
|
userdebug_or_eng(`-su')
|
|
|
|
}:binder call;
|
|
|
|
|
2016-01-22 00:32:08 +01:00
|
|
|
neverallow vold fsck_exec:file execute_no_trans;
|
2017-08-30 10:17:49 +02:00
|
|
|
neverallow { domain -init } vold:process { transition dyntransition };
|
2017-08-30 11:34:39 +02:00
|
|
|
neverallow vold *:process ptrace;
|
|
|
|
neverallow vold *:rawip_socket *;
|