31d88a704e
Allow vold, healthd, slideshow, and watchdogd access to /dev/kmsg.
These processes log to the kernel dmesg ring buffer, so they need
write access to that file.
Addresses the following denials:
avc: denied { write } for pid=134 comm="watchdogd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:watchdogd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=166 comm="healthd" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:healthd:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
avc: denied { write } for pid=180 comm="vold" name="kmsg" dev="tmpfs" ino=9248 scontext=u:r:vold:s0 tcontext=u:object_r:kmsg_device:s0 tclass=chr_file permissive=0
These denials were triggered by the change in
https://android-review.googlesource.com/151209 . Prior to that change,
any code which called klog_init would (unnecessarily) create the
device node themselves, rather than using the already existing device
node.
Drop special /dev/__null__ handling from watchdogd. As of
https://android-review.googlesource.com/148288 , watchdogd no longer
creates it's own /dev/null device, so it's unnecessary for us
to allow for it.
Drop mknod from healthd, slideshow, and watchdogd. healthd and slideshow
only needed mknod to create /dev/__kmsg__, which is now obsolete.
watchdogd only needed mknod to create /dev/__kmsg__ and /dev/__null__,
which again is now obsolete.
(cherry picked from e2651972c1
)
Bug: 21242418
Change-Id: If01c8001084575e7441253f0fa8b4179ae33f534
158 lines
5.9 KiB
Text
158 lines
5.9 KiB
Text
# volume manager
|
|
type vold, domain;
|
|
type vold_exec, exec_type, file_type;
|
|
|
|
init_daemon_domain(vold)
|
|
|
|
# Switch to more restrictive domains when executing common tools
|
|
domain_auto_trans(vold, sgdisk_exec, sgdisk);
|
|
domain_auto_trans(vold, sdcardd_exec, sdcardd);
|
|
|
|
# For a handful of probing tools, we choose an even more restrictive
|
|
# domain when working with untrusted block devices
|
|
domain_trans(vold, shell_exec, blkid);
|
|
domain_trans(vold, shell_exec, blkid_untrusted);
|
|
domain_trans(vold, fsck_exec, fsck);
|
|
domain_trans(vold, fsck_exec, fsck_untrusted);
|
|
|
|
# Allow us to jump into execution domains of above tools
|
|
allow vold self:process setexec;
|
|
|
|
# For sgdisk launched through popen()
|
|
allow vold shell_exec:file rx_file_perms;
|
|
|
|
typeattribute vold mlstrustedsubject;
|
|
allow vold self:process setfscreate;
|
|
allow vold system_file:file x_file_perms;
|
|
allow vold block_device:dir create_dir_perms;
|
|
allow vold block_device:blk_file create_file_perms;
|
|
auditallow vold block_device:blk_file create_file_perms;
|
|
allow vold device:dir write;
|
|
allow vold devpts:chr_file rw_file_perms;
|
|
allow vold rootfs:dir mounton;
|
|
allow vold sdcard_type:dir mounton; # TODO: deprecated in M
|
|
allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
|
|
allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
|
|
allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
|
|
|
|
# Manage locations where storage is mounted
|
|
allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
|
|
allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
|
|
|
|
# Access to storage that backs emulated FUSE daemons for migration optimization
|
|
allow vold media_rw_data_file:dir create_dir_perms;
|
|
allow vold media_rw_data_file:file create_file_perms;
|
|
|
|
# Newly created storage dirs are always treated as mount stubs to prevent us
|
|
# from accidentally writing when the mount point isn't present.
|
|
type_transition vold storage_file:dir storage_stub_file;
|
|
type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
|
|
|
|
# Allow mounting of storage devices
|
|
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
|
|
allow vold sdcard_type:filesystem { mount unmount remount };
|
|
|
|
# Manage per-user primary symlinks
|
|
allow vold mnt_user_file:dir create_dir_perms;
|
|
allow vold mnt_user_file:lnk_file create_file_perms;
|
|
|
|
# Allow to create and mount expanded storage
|
|
allow vold mnt_expand_file:dir { create_dir_perms mounton };
|
|
allow vold apk_data_file:dir { create getattr setattr };
|
|
allow vold shell_data_file:dir { create getattr setattr };
|
|
|
|
allow vold tmpfs:filesystem { mount unmount };
|
|
allow vold tmpfs:dir create_dir_perms;
|
|
allow vold tmpfs:dir mounton;
|
|
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
|
|
allow vold self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow vold app_data_file:dir search;
|
|
allow vold app_data_file:file rw_file_perms;
|
|
allow vold loop_device:blk_file create_file_perms;
|
|
allow vold vold_device:blk_file create_file_perms;
|
|
allow vold dm_device:chr_file rw_file_perms;
|
|
allow vold dm_device:blk_file rw_file_perms;
|
|
# For vold Process::killProcessesWithOpenFiles function.
|
|
allow vold domain:dir r_dir_perms;
|
|
allow vold domain:{ file lnk_file } r_file_perms;
|
|
allow vold domain:process { signal sigkill };
|
|
allow vold self:capability { sys_ptrace kill };
|
|
|
|
# XXX Label sysfs files with a specific type?
|
|
allow vold sysfs:file rw_file_perms;
|
|
|
|
allow vold kmsg_device:chr_file rw_file_perms;
|
|
|
|
# Run fsck.
|
|
allow vold fsck_exec:file rx_file_perms;
|
|
|
|
# Log fsck results
|
|
allow vold fscklogs:dir rw_dir_perms;
|
|
allow vold fscklogs:file create_file_perms;
|
|
|
|
#
|
|
# Rules to support encrypted fs support.
|
|
#
|
|
|
|
# Unmount and mount the fs.
|
|
allow vold labeledfs:filesystem { mount unmount remount };
|
|
|
|
# Access /efs/userdata_footer.
|
|
# XXX Split into a separate type?
|
|
allow vold efs_file:file rw_file_perms;
|
|
|
|
# Create and mount on /data/tmp_mnt and management of expansion mounts
|
|
allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir };
|
|
|
|
# Set scheduling policy of kernel processes
|
|
allow vold kernel:process setsched;
|
|
|
|
# Property Service
|
|
set_prop(vold, vold_prop)
|
|
set_prop(vold, powerctl_prop)
|
|
set_prop(vold, ctl_fuse_prop)
|
|
|
|
# ASEC
|
|
allow vold asec_image_file:file create_file_perms;
|
|
allow vold asec_image_file:dir rw_dir_perms;
|
|
security_access_policy(vold)
|
|
allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
|
|
allow vold asec_public_file:dir { relabelto setattr };
|
|
allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
|
|
allow vold asec_public_file:file { relabelto setattr };
|
|
# restorecon files in asec containers created on 4.2 or earlier.
|
|
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
|
|
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
|
|
|
|
# Handle wake locks (used for device encryption)
|
|
wakelock_use(vold)
|
|
|
|
# talk to batteryservice
|
|
binder_use(vold)
|
|
binder_call(vold, healthd)
|
|
|
|
# talk to keymaster
|
|
allow vold tee_device:chr_file rw_file_perms;
|
|
|
|
# Access userdata block device.
|
|
allow vold userdata_block_device:blk_file rw_file_perms;
|
|
|
|
# Access metadata block device used for encryption meta-data.
|
|
allow vold metadata_block_device:blk_file rw_file_perms;
|
|
|
|
# Allow vold to manipulate /data/unencrypted
|
|
allow vold unencrypted_data_file:{ file } create_file_perms;
|
|
allow vold unencrypted_data_file:dir create_dir_perms;
|
|
|
|
# Give vold a place where only vold can store files; everyone else is off limits
|
|
allow vold vold_data_file:dir create_dir_perms;
|
|
allow vold vold_data_file:file create_file_perms;
|
|
|
|
# linux keyring configuration
|
|
allow vold init:key { write search setattr };
|
|
allow vold vold:key { write search setattr };
|
|
|
|
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
|
|
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
|
|
neverallow { domain -vold -init } vold_data_file:dir *;
|
|
neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
|