tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Directory for vold to store private data.

Browse source 
Creates new directory at /data/misc/vold for storing key material
on internal storage.  Only vold should have access to this label.

Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
This commit is contained in:
Jeff Sharkey 2015-03-31 15:03:13 -07:00
parent 5a5b364c54
commit 4423ecdb09
4 changed files with 20 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
file.te
View file

@ -110,6 +110,7 @@ type systemkeys_data_file, file_type, data_file_type;
type vpn_data_file, file_type, data_file_type;
type wifi_data_file, file_type, data_file_type;
type zoneinfo_data_file, file_type, data_file_type;
type vold_data_file, file_type, data_file_type;
# Compatibility with type names used in vanilla Android 4.3 and 4.4.
typealias audio_data_file alias audio_firmware_file;

1
file_contexts
View file

@ -236,6 +236,7 @@
/data/misc/wifi/sockets/wpa_ctrl.* u:object_r:system_wpa_socket:s0
/data/misc/wifi/hostapd(/.*)? u:object_r:wpa_socket:s0
/data/misc/zoneinfo(/.*)? u:object_r:zoneinfo_data_file:s0
/data/misc/vold(/.*)? u:object_r:vold_data_file:s0
# Bootchart data
/data/bootchart(/.*)? u:object_r:bootchart_data_file:s0

13
init.te
View file

@ -82,10 +82,10 @@ allow init rootfs:file relabelfrom;
# we just allow all file types except /system files here.
allow init self:capability { chown fowner fsetid };
allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:dir { write add_name remove_name rmdir relabelfrom };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:file { create getattr open read write setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
allow init sysfs_type:{ dir file lnk_file } relabelto;
@ -156,6 +156,11 @@ allow init domain:process sigkill;
allow init keystore_data_file:dir { open create read getattr setattr search };
allow init keystore_data_file:file { getattr };
# Init creates vold's directory on boot, and walks through
# the directory as part of a recursive restorecon.
allow init vold_data_file:dir { open create read getattr setattr search };
allow init vold_data_file:file { getattr };
# Init creates /data/local/tmp at boot
allow init shell_data_file:dir { open create read getattr setattr search };
allow init shell_data_file:file { getattr };

9
vold.te
View file

@ -129,3 +129,12 @@ allow vold metadata_block_device:blk_file rw_file_perms;
# Allow init to manipulate /data/unencrypted
allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
allow vold unencrypted_data_file:dir create_dir_perms;
# Give vold a place where only vold can store files; everyone else is off limits
allow vold vold_data_file:dir rw_dir_perms;
allow vold vold_data_file:file create_file_perms;
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;
neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;