# volume manager type vold, domain; type vold_exec, exec_type, file_type, system_file_type; # Read already opened /cache files. allow vold cache_file:dir r_dir_perms; allow vold cache_file:file { getattr read }; allow vold cache_file:lnk_file r_file_perms; r_dir_file(vold, { sysfs_type -sysfs_batteryinfo }) # XXX Label sysfs files with a specific type? allow vold { sysfs # writing to /sys/*/uevent during coldboot. sysfs_devices_block sysfs_dm sysfs_loop # writing to /sys/block/loop*/uevent during coldboot. sysfs_usb sysfs_zram_uevent sysfs_fs_f2fs }:file w_file_perms; r_dir_file(vold, rootfs) r_dir_file(vold, metadata_file) allow vold { proc # b/67049235 processes /proc//* files are mislabeled. proc_bootconfig proc_cmdline proc_drop_caches proc_filesystems proc_meminfo proc_mounts }:file r_file_perms; #Get file contexts allow vold file_contexts_file:file r_file_perms; # Allow us to jump into execution domains of above tools allow vold self:process setexec; # For formatting adoptable storage devices allow vold e2fs_exec:file rx_file_perms; # Run fstrim on mounted partitions # allowxperm still requires the ioctl permission for the individual type allowxperm vold { fs_type file_type }:dir ioctl FITRIM; # Get/set file-based encryption policies on dirs in /data and adoptable storage, # and add/remove file-based encryption keys. allowxperm vold data_file_type:dir ioctl { FS_IOC_GET_ENCRYPTION_POLICY FS_IOC_SET_ENCRYPTION_POLICY FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS }; # Only vold and init should ever set file-based encryption policies. neverallowxperm { domain -vold -init -vendor_init } data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY }; # Only vold should ever add/remove file-based encryption keys. neverallowxperm { domain -vold } data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS }; # Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is # tried first. Otherwise, FS_IOC_FIEMAP is needed to get the # location of the file's blocks on the raw block device to erase. allowxperm vold { vold_data_file vold_metadata_file }:file ioctl { F2FS_IOC_SEC_TRIM_FILE FS_IOC_FIEMAP }; typeattribute vold mlstrustedsubject; allow vold self:process setfscreate; allow vold system_file:file x_file_perms; not_full_treble(`allow vold vendor_file:file x_file_perms;') allow vold block_device:dir create_dir_perms; allow vold device:dir write; allow vold devpts:chr_file rw_file_perms; allow vold rootfs:dir mounton; allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M # Manage locations where storage is mounted allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms; allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms; # Access to storage that backs emulated FUSE daemons for migration optimization allow vold media_rw_data_file:dir create_dir_perms; allow vold media_rw_data_file:file create_file_perms; # Allow mounting (lower filesystem) on parts of media for performance allow vold media_rw_data_file:dir mounton; # Allow setting project quota IDs and enabling project ID inheritance on # /data/media/$userId/* and /mnt/expand/$volume/media/$userId/* allowxperm vold media_rw_data_file:{ dir file } ioctl { FS_IOC_FSGETXATTR FS_IOC_FSSETXATTR FS_IOC_GETFLAGS FS_IOC_SETFLAGS }; # Allow mounting of storage devices allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; # Manage per-user primary symlinks allow vold mnt_user_file:dir { create_dir_perms mounton }; allow vold mnt_user_file:lnk_file create_file_perms; allow vold mnt_user_file:file create_file_perms; # Manage per-user pass_through primary symlinks allow vold mnt_pass_through_file:dir { create_dir_perms mounton }; allow vold mnt_pass_through_file:lnk_file create_file_perms; # Allow to create and mount expanded storage allow vold mnt_expand_file:dir { create_dir_perms mounton }; allow vold apk_data_file:dir { create getattr setattr }; allow vold shell_data_file:dir { create getattr setattr }; allow vold system_userdir_file:dir { create getattr setattr }; allow vold media_userdir_file:dir { create getattr setattr open read ioctl }; # Needed to set the casefold flag on /mnt/expand/$volume/media allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS }; # Allow to mount incremental file system on /data/incremental and create files allow vold apk_data_file:dir { mounton rw_dir_perms }; # Allow to create and write files in /data/incremental allow vold apk_data_file:file { rw_file_perms unlink }; # Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files allow vold apk_tmp_file:dir { mounton r_dir_perms }; # Allow to read incremental control file and call selinux restorecon on it allow vold incremental_control_file:file { r_file_perms relabelto }; allow vold tmpfs:filesystem { mount unmount }; allow vold tmpfs:dir create_dir_perms; allow vold tmpfs:dir mounton; allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid }; allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl; allow vold loop_control_device:chr_file rw_file_perms; allow vold loop_device:blk_file { create setattr unlink rw_file_perms }; allowxperm vold loop_device:blk_file ioctl { LOOP_CLR_FD LOOP_CTL_GET_FREE LOOP_GET_STATUS64 LOOP_SET_FD LOOP_SET_STATUS64 }; allow vold vold_device:blk_file { create setattr unlink rw_file_perms }; allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE }; allow vold dm_device:chr_file rw_file_perms; allow vold dm_device:blk_file rw_file_perms; allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE }; # For vold Process::killProcessesWithOpenFiles function. allow vold domain:dir r_dir_perms; allow vold domain:{ file lnk_file } r_file_perms; allow vold domain:process { signal sigkill }; allow vold self:global_capability_class_set { sys_ptrace kill }; allow vold kmsg_device:chr_file rw_file_perms; # Run fsck in the fsck domain. allow vold fsck_exec:file { r_file_perms execute }; # Log fsck results allow vold fscklogs:dir rw_dir_perms; allow vold fscklogs:file create_file_perms; # Mount and unmount filesystems. allow vold labeledfs:filesystem { mount unmount remount }; # Create and mount on /data/tmp_mnt and management of expansion mounts # # Also rename per-user encrypted directories such as /data/user/10 from their # temporary name ("10.new") to their final name ("10"). allow vold { system_data_file system_data_root_file }:dir { create_dir_perms mounton }; allow vold system_data_file:lnk_file getattr; # Vold create users in /data/vendor_{ce,de}/[0-9]+ allow vold vendor_data_file:dir create_dir_perms; # for secdiscard allow vold system_data_file:file read; # Set scheduling policy of kernel processes allow vold kernel:process setsched; # ASEC allow vold asec_image_file:file create_file_perms; allow vold asec_image_file:dir rw_dir_perms; allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto }; allow vold asec_public_file:dir { relabelto setattr }; allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; allow vold asec_public_file:file { relabelto setattr }; # restorecon files in asec containers created on 4.2 or earlier. allow vold unlabeled:dir { r_dir_perms setattr relabelfrom }; allow vold unlabeled:file { r_file_perms setattr relabelfrom }; # Access to FUSE control filesystem to hard-abort FUSE mounts allow vold fusectlfs:file rw_file_perms; allow vold fusectlfs:dir rw_dir_perms; # Allow vold to use wake locks. Needed for idle maintenance and moving storage. wakelock_use(vold) # Allow vold to publish a binder service and make binder calls. binder_use(vold) add_service(vold, vold_service) # Allow vold to call into the system server so it can check permissions. binder_call(vold, system_server) allow vold permission_service:service_manager find; # talk to health storage HAL hal_client_domain(vold, hal_health_storage) # talk to bootloader HAL full_treble_only(`hal_client_domain(vold, hal_bootctl)') # Access userdata block device. allow vold userdata_block_device:blk_file rw_file_perms; allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD; # Access zoned block device. allow vold zoned_block_device:blk_file rw_file_perms; # Access metadata block device used for encryption meta-data. allow vold metadata_block_device:blk_file rw_file_perms; allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD; # Allow vold to manipulate /data/unencrypted allow vold unencrypted_data_file:{ file } create_file_perms; allow vold unencrypted_data_file:dir create_dir_perms; # Write to /proc/sys/vm/drop_caches allow vold proc_drop_caches:file w_file_perms; # Give vold a place where only vold can store files; everyone else is off limits allow vold vold_data_file:dir create_dir_perms; allow vold vold_data_file:file create_file_perms; # And a similar place in the metadata partition allow vold vold_metadata_file:dir create_dir_perms; allow vold vold_metadata_file:file create_file_perms; # linux keyring configuration allow vold init:key { write search setattr }; allow vold vold:key { write search setattr }; # vold temporarily changes its priority when running benchmarks allow vold self:global_capability_class_set sys_nice; # vold needs to chroot into app namespaces to remount when runtime permissions change allow vold self:global_capability_class_set sys_chroot; allow vold storage_file:dir mounton; # For AppFuse. allow vold fuse_device:chr_file rw_file_perms; allow vold fuse:filesystem { relabelfrom }; allow vold app_fusefs:filesystem { relabelfrom relabelto }; allow vold app_fusefs:filesystem { mount unmount }; allow vold app_fuse_file:dir rw_dir_perms; allow vold app_fuse_file:file { read write open getattr append }; # MoveStorage.cpp executes cp and rm allow vold toolbox_exec:file rx_file_perms; # Prepare profile dir for users. allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms; # Raw writes to misc block device allow vold misc_block_device:blk_file w_file_perms; # vold might need to search or mount /mnt/vendor/* allow vold mnt_vendor_file:dir search; dontaudit vold self:global_capability_class_set sys_resource; # Allow ReadDefaultFstab(). read_fstab(vold) # vold might need to search loopback apex files allow vold vendor_apex_file:file r_file_perms; neverallow { domain -vold -vold_prepare_subdirs } vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl }; neverallow { domain -init -vold -vold_prepare_subdirs } vold_data_file:dir *; neverallow { domain -init -vold } vold_metadata_file:dir *; neverallow { domain -kernel -vold -vold_prepare_subdirs } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -init -vold -vold_prepare_subdirs } vold_metadata_file:notdevfile_class_set ~{ relabelto getattr }; neverallow { domain -init -kernel -vold -vold_prepare_subdirs } { vold_data_file vold_metadata_file }:notdevfile_class_set *; neverallow { domain -vold -init } restorecon_prop:property_service set; neverallow vold { domain -hal_health_storage_server -system_suspend_server -hal_bootctl_server -hwservicemanager -keystore -servicemanager -system_server userdebug_or_eng(`-su') }:binder call; neverallow vold fsck_exec:file execute_no_trans; neverallow { domain -init } vold:process { transition dyntransition }; neverallow vold *:process ptrace; neverallow vold *:rawip_socket *;