b382f02bf4
Every process needs to be able to determine the IncFS features to choose the most efficient APIs to call Bug: 184357957 Test: build + atest PackageManagerShellCommandTest Change-Id: Ia84e3fecfd7be1209af076452cc27cc68aefd80d
361 lines
12 KiB
Text
361 lines
12 KiB
Text
# volume manager
|
|
type vold, domain;
|
|
type vold_exec, exec_type, file_type, system_file_type;
|
|
|
|
# Read already opened /cache files.
|
|
allow vold cache_file:dir r_dir_perms;
|
|
allow vold cache_file:file { getattr read };
|
|
allow vold cache_file:lnk_file r_file_perms;
|
|
|
|
r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
|
|
# XXX Label sysfs files with a specific type?
|
|
allow vold {
|
|
sysfs # writing to /sys/*/uevent during coldboot.
|
|
sysfs_devices_block
|
|
sysfs_dm
|
|
sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
|
|
sysfs_usb
|
|
sysfs_zram_uevent
|
|
sysfs_fs_f2fs
|
|
}:file w_file_perms;
|
|
|
|
r_dir_file(vold, rootfs)
|
|
r_dir_file(vold, metadata_file)
|
|
allow vold {
|
|
proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
|
|
proc_bootconfig
|
|
proc_cmdline
|
|
proc_drop_caches
|
|
proc_filesystems
|
|
proc_meminfo
|
|
proc_mounts
|
|
}:file r_file_perms;
|
|
|
|
#Get file contexts
|
|
allow vold file_contexts_file:file r_file_perms;
|
|
|
|
# Allow us to jump into execution domains of above tools
|
|
allow vold self:process setexec;
|
|
|
|
# For formatting adoptable storage devices
|
|
allow vold e2fs_exec:file rx_file_perms;
|
|
|
|
# Run fstrim on mounted partitions
|
|
# allowxperm still requires the ioctl permission for the individual type
|
|
allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
|
|
|
|
# Get/set file-based encryption policies on dirs in /data and adoptable storage,
|
|
# and add/remove file-based encryption keys.
|
|
allowxperm vold data_file_type:dir ioctl {
|
|
FS_IOC_GET_ENCRYPTION_POLICY
|
|
FS_IOC_SET_ENCRYPTION_POLICY
|
|
FS_IOC_ADD_ENCRYPTION_KEY
|
|
FS_IOC_REMOVE_ENCRYPTION_KEY
|
|
};
|
|
|
|
# Only vold and init should ever set file-based encryption policies.
|
|
neverallowxperm {
|
|
domain
|
|
-vold
|
|
-init
|
|
-vendor_init
|
|
} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
|
|
|
|
# Only vold should ever add/remove file-based encryption keys.
|
|
neverallowxperm {
|
|
domain
|
|
-vold
|
|
} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
|
|
|
|
# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
|
|
# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
|
|
# location of the file's blocks on the raw block device to erase.
|
|
allowxperm vold {
|
|
vold_data_file
|
|
vold_metadata_file
|
|
}:file ioctl {
|
|
F2FS_IOC_SEC_TRIM_FILE
|
|
FS_IOC_FIEMAP
|
|
};
|
|
|
|
typeattribute vold mlstrustedsubject;
|
|
allow vold self:process setfscreate;
|
|
allow vold system_file:file x_file_perms;
|
|
not_full_treble(`allow vold vendor_file:file x_file_perms;')
|
|
allow vold block_device:dir create_dir_perms;
|
|
allow vold device:dir write;
|
|
allow vold devpts:chr_file rw_file_perms;
|
|
allow vold rootfs:dir mounton;
|
|
allow vold sdcard_type:dir mounton; # TODO: deprecated in M
|
|
allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
|
|
allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
|
|
allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
|
|
|
|
# Manage locations where storage is mounted
|
|
allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
|
|
allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
|
|
|
|
# Access to storage that backs emulated FUSE daemons for migration optimization
|
|
allow vold media_rw_data_file:dir create_dir_perms;
|
|
allow vold media_rw_data_file:file create_file_perms;
|
|
# Allow mounting (lower filesystem) on parts of media for performance
|
|
allow vold media_rw_data_file:dir mounton;
|
|
|
|
# Allow setting extended attributes (for project quota IDs) on files and dirs
|
|
# and to enable project ID inheritance through FS_IOC_SETFLAGS
|
|
allowxperm vold media_rw_data_file:{ dir file } ioctl {
|
|
FS_IOC_FSGETXATTR
|
|
FS_IOC_FSSETXATTR
|
|
FS_IOC_GETFLAGS
|
|
FS_IOC_SETFLAGS
|
|
};
|
|
|
|
# Allow mounting of storage devices
|
|
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
|
|
|
|
# Manage per-user primary symlinks
|
|
allow vold mnt_user_file:dir { create_dir_perms mounton };
|
|
allow vold mnt_user_file:lnk_file create_file_perms;
|
|
allow vold mnt_user_file:file create_file_perms;
|
|
|
|
# Manage per-user pass_through primary symlinks
|
|
allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
|
|
allow vold mnt_pass_through_file:lnk_file create_file_perms;
|
|
|
|
# Allow to create and mount expanded storage
|
|
allow vold mnt_expand_file:dir { create_dir_perms mounton };
|
|
allow vold apk_data_file:dir { create getattr setattr };
|
|
allow vold shell_data_file:dir { create getattr setattr };
|
|
|
|
# Allow to mount incremental file system on /data/incremental and create files
|
|
allow vold apk_data_file:dir { mounton rw_dir_perms };
|
|
# Allow to create and write files in /data/incremental
|
|
allow vold apk_data_file:file { rw_file_perms unlink };
|
|
# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
|
|
allow vold apk_tmp_file:dir { mounton r_dir_perms };
|
|
# Allow to read incremental control file and call selinux restorecon on it
|
|
allow vold incremental_control_file:file { r_file_perms relabelto };
|
|
|
|
allow vold tmpfs:filesystem { mount unmount };
|
|
allow vold tmpfs:dir create_dir_perms;
|
|
allow vold tmpfs:dir mounton;
|
|
allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
|
|
allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
|
|
allow vold loop_control_device:chr_file rw_file_perms;
|
|
allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
|
|
allowxperm vold loop_device:blk_file ioctl {
|
|
LOOP_CLR_FD
|
|
LOOP_CTL_GET_FREE
|
|
LOOP_GET_STATUS64
|
|
LOOP_SET_FD
|
|
LOOP_SET_STATUS64
|
|
};
|
|
allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
|
|
allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
|
|
allow vold dm_device:chr_file rw_file_perms;
|
|
allow vold dm_device:blk_file rw_file_perms;
|
|
allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
|
|
# For vold Process::killProcessesWithOpenFiles function.
|
|
allow vold domain:dir r_dir_perms;
|
|
allow vold domain:{ file lnk_file } r_file_perms;
|
|
allow vold domain:process { signal sigkill };
|
|
allow vold self:global_capability_class_set { sys_ptrace kill };
|
|
|
|
allow vold kmsg_device:chr_file rw_file_perms;
|
|
|
|
# Run fsck in the fsck domain.
|
|
allow vold fsck_exec:file { r_file_perms execute };
|
|
|
|
# Log fsck results
|
|
allow vold fscklogs:dir rw_dir_perms;
|
|
allow vold fscklogs:file create_file_perms;
|
|
|
|
#
|
|
# Rules to support encrypted fs support.
|
|
#
|
|
|
|
# Unmount and mount the fs.
|
|
allow vold labeledfs:filesystem { mount unmount remount };
|
|
|
|
# Access /efs/userdata_footer.
|
|
# XXX Split into a separate type?
|
|
allow vold efs_file:file rw_file_perms;
|
|
|
|
# Create and mount on /data/tmp_mnt and management of expansion mounts
|
|
allow vold {
|
|
system_data_file
|
|
system_data_root_file
|
|
}:dir { create rw_dir_perms mounton setattr rmdir };
|
|
allow vold system_data_file:lnk_file getattr;
|
|
|
|
# Vold create users in /data/vendor_{ce,de}/[0-9]+
|
|
allow vold vendor_data_file:dir create_dir_perms;
|
|
|
|
# for secdiscard
|
|
allow vold system_data_file:file read;
|
|
|
|
# Set scheduling policy of kernel processes
|
|
allow vold kernel:process setsched;
|
|
|
|
# ASEC
|
|
allow vold asec_image_file:file create_file_perms;
|
|
allow vold asec_image_file:dir rw_dir_perms;
|
|
allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
|
|
allow vold asec_public_file:dir { relabelto setattr };
|
|
allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
|
|
allow vold asec_public_file:file { relabelto setattr };
|
|
# restorecon files in asec containers created on 4.2 or earlier.
|
|
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
|
|
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
|
|
|
|
# Access to FUSE control filesystem to hard-abort FUSE mounts
|
|
allow vold fusectlfs:file rw_file_perms;
|
|
allow vold fusectlfs:dir rw_dir_perms;
|
|
|
|
# Handle wake locks (used for device encryption)
|
|
wakelock_use(vold)
|
|
|
|
# Allow vold to publish a binder service and make binder calls.
|
|
binder_use(vold)
|
|
add_service(vold, vold_service)
|
|
|
|
# Allow vold to call into the system server so it can check permissions.
|
|
binder_call(vold, system_server)
|
|
allow vold permission_service:service_manager find;
|
|
|
|
# talk to batteryservice
|
|
binder_call(vold, healthd)
|
|
|
|
# talk to keymaster
|
|
hal_client_domain(vold, hal_keymaster)
|
|
|
|
# talk to health storage HAL
|
|
hal_client_domain(vold, hal_health_storage)
|
|
|
|
# talk to bootloader HAL
|
|
full_treble_only(`hal_client_domain(vold, hal_bootctl)')
|
|
|
|
# Access userdata block device.
|
|
allow vold userdata_block_device:blk_file rw_file_perms;
|
|
allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
|
|
|
|
# Access metadata block device used for encryption meta-data.
|
|
allow vold metadata_block_device:blk_file rw_file_perms;
|
|
allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
|
|
|
|
# Allow vold to manipulate /data/unencrypted
|
|
allow vold unencrypted_data_file:{ file } create_file_perms;
|
|
allow vold unencrypted_data_file:dir create_dir_perms;
|
|
|
|
# Write to /proc/sys/vm/drop_caches
|
|
allow vold proc_drop_caches:file w_file_perms;
|
|
|
|
# Give vold a place where only vold can store files; everyone else is off limits
|
|
allow vold vold_data_file:dir create_dir_perms;
|
|
allow vold vold_data_file:file create_file_perms;
|
|
|
|
# And a similar place in the metadata partition
|
|
allow vold vold_metadata_file:dir create_dir_perms;
|
|
allow vold vold_metadata_file:file create_file_perms;
|
|
|
|
# linux keyring configuration
|
|
allow vold init:key { write search setattr };
|
|
allow vold vold:key { write search setattr };
|
|
|
|
# vold temporarily changes its priority when running benchmarks
|
|
allow vold self:global_capability_class_set sys_nice;
|
|
|
|
# vold needs to chroot into app namespaces to remount when runtime permissions change
|
|
allow vold self:global_capability_class_set sys_chroot;
|
|
allow vold storage_file:dir mounton;
|
|
|
|
# For AppFuse.
|
|
allow vold fuse_device:chr_file rw_file_perms;
|
|
allow vold fuse:filesystem { relabelfrom };
|
|
allow vold app_fusefs:filesystem { relabelfrom relabelto };
|
|
allow vold app_fusefs:filesystem { mount unmount };
|
|
allow vold app_fuse_file:dir rw_dir_perms;
|
|
allow vold app_fuse_file:file { read write open getattr append };
|
|
|
|
# MoveTask.cpp executes cp and rm
|
|
allow vold toolbox_exec:file rx_file_perms;
|
|
|
|
# Prepare profile dir for users.
|
|
allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
|
|
|
|
# Raw writes to misc block device
|
|
allow vold misc_block_device:blk_file w_file_perms;
|
|
|
|
# vold might need to search or mount /mnt/vendor/*
|
|
allow vold mnt_vendor_file:dir search;
|
|
|
|
dontaudit vold self:global_capability_class_set sys_resource;
|
|
|
|
# Allow ReadDefaultFstab().
|
|
read_fstab(vold)
|
|
|
|
# vold might need to search loopback apex files
|
|
allow vold vendor_apex_file:file r_file_perms;
|
|
|
|
neverallow {
|
|
domain
|
|
-vold
|
|
-vold_prepare_subdirs
|
|
} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vold
|
|
-vold_prepare_subdirs
|
|
} vold_data_file:dir *;
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vold
|
|
} vold_metadata_file:dir *;
|
|
|
|
neverallow {
|
|
domain
|
|
-kernel
|
|
-vold
|
|
-vold_prepare_subdirs
|
|
} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-vold
|
|
-vold_prepare_subdirs
|
|
} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
|
|
|
|
neverallow {
|
|
domain
|
|
-init
|
|
-kernel
|
|
-vold
|
|
-vold_prepare_subdirs
|
|
} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
|
|
|
|
neverallow { domain -vold -init } restorecon_prop:property_service set;
|
|
|
|
neverallow vold {
|
|
domain
|
|
-hal_health_storage_server
|
|
-hal_keymaster_server
|
|
-system_suspend_server
|
|
-hal_bootctl_server
|
|
-healthd
|
|
-hwservicemanager
|
|
-iorapd_service
|
|
-keystore
|
|
-servicemanager
|
|
-system_server
|
|
userdebug_or_eng(`-su')
|
|
}:binder call;
|
|
|
|
neverallow vold fsck_exec:file execute_no_trans;
|
|
neverallow { domain -init } vold:process { transition dyntransition };
|
|
neverallow vold *:process ptrace;
|
|
neverallow vold *:rawip_socket *;
|