platform_system_sepolicy/vold.te
Stephen Smalley f85c1fc293 Allow installd, vold, system_server unlabeled access.
The bugs that motivated bringing back the unlabeled allowall rules,
https://android-review.googlesource.com/#/c/94971/
should be resolved by the following changes:
https://android-review.googlesource.com/#/c/94966/
https://android-review.googlesource.com/#/c/96080/

Beyond those changes, installd needs to be able to remove package directories
for apps that no longer exist or have moved (e.g. to priv-app) on upgrades, so
allow it the permissions required for this purpose.  vold needs to be able
to chown/chmod/restorecon files in asec containers so allow it the
permissions to do so.  system_server tries to access all /data/data
subdirectories so permit it to do so.  installd and system_server
read the pkg.apk file before it has been relabeled by vold and therefore
need to read unlabeled files.

Change-Id: I70da7d605c0d037eaa5f3f5fda24f5e7715451dc
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-05-29 16:35:01 -04:00

91 lines
2.9 KiB
Text

# volume manager
type vold, domain;
type vold_exec, exec_type, file_type;
init_daemon_domain(vold)
typeattribute vold mlstrustedsubject;
allow vold system_file:file x_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold block_device:blk_file create_file_perms;
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
allow vold rootfs:dir mounton;
allow vold sdcard_type:dir mounton;
allow vold sdcard_type:filesystem { mount remount unmount };
allow vold sdcard_type:dir create_dir_perms;
allow vold sdcard_type:file create_file_perms;
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;
allow vold loop_device:blk_file rw_file_perms;
allow vold dm_device:chr_file rw_file_perms;
# For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms;
allow vold domain:process { signal sigkill };
allow vold self:capability { sys_ptrace kill };
# For blkid
allow vold shell_exec:file rx_file_perms;
# XXX Label sysfs files with a specific type?
allow vold sysfs:file rw_file_perms;
write_klog(vold)
# Log fsck results
allow vold fscklogs:dir rw_dir_perms;
allow vold fscklogs:file create_file_perms;
#
# Rules to support encrypted fs support.
#
# Set property.
unix_socket_connect(vold, property, init)
# Unmount and mount the fs.
allow vold labeledfs:filesystem { mount unmount remount };
# Access /efs/userdata_footer.
# XXX Split into a separate type?
allow vold efs_file:file rw_file_perms;
# Create and mount on /data/tmp_mnt.
allow vold system_data_file:dir { create rw_dir_perms mounton };
# Set scheduling policy of kernel processes
allow vold kernel:process setsched;
# Property Service
allow vold vold_prop:property_service set;
allow vold powerctl_prop:property_service set;
allow vold ctl_fuse_prop:property_service set;
# ASEC
allow vold asec_image_file:file create_file_perms;
allow vold asec_image_file:dir rw_dir_perms;
security_access_policy(vold)
allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto };
allow vold asec_public_file:dir { relabelto setattr };
allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
allow vold asec_public_file:file { relabelto setattr };
# restorecon files in asec containers created on 4.2 or earlier.
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
# Handle wake locks (used for device encryption)
wakelock_use(vold)
# talk to batteryservice
binder_use(vold)
binder_call(vold, healthd)
# talk to keymaster
allow vold tee_device:chr_file rw_file_perms;