Blame - microdroid/sepolicy/system/public/vold.te - android_packages_modules_Virtualization

blob: 7796ba85115fc009f780b35c457f5c2ab9faf4a1 [file] [log] [blame]

Inseob Kim	ff43be2	2021-06-07 16:56:56 +0900	[diff] [blame]	1	# volume manager
				2	type vold, domain;
				3	type vold_exec, exec_type, file_type, system_file_type;
				4
				5	# Read already opened /cache files.
				6	allow vold cache_file:dir r_dir_perms;
				7	allow vold cache_file:file { getattr read };
				8	allow vold cache_file:lnk_file r_file_perms;
				9
				10	r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
				11	# XXX Label sysfs files with a specific type?
				12	allow vold {
				13	sysfs # writing to /sys/*/uevent during coldboot.
				14	sysfs_devices_block
				15	sysfs_dm
				16	sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
				17	sysfs_usb
				18	sysfs_zram_uevent
				19	sysfs_fs_f2fs
				20	}:file w_file_perms;
				21
				22	r_dir_file(vold, rootfs)
				23	r_dir_file(vold, metadata_file)
				24	allow vold {
				25	proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
				26	proc_bootconfig
				27	proc_cmdline
				28	proc_drop_caches
				29	proc_filesystems
				30	proc_meminfo
				31	proc_mounts
				32	}:file r_file_perms;
				33
				34	#Get file contexts
				35	allow vold file_contexts_file:file r_file_perms;
				36
				37	# Allow us to jump into execution domains of above tools
				38	allow vold self:process setexec;
				39
				40	# For formatting adoptable storage devices
				41	allow vold e2fs_exec:file rx_file_perms;
				42
				43	# Run fstrim on mounted partitions
				44	# allowxperm still requires the ioctl permission for the individual type
				45	allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
				46
				47	# Get/set file-based encryption policies on dirs in /data and adoptable storage,
				48	# and add/remove file-based encryption keys.
				49	allowxperm vold data_file_type:dir ioctl {
				50	FS_IOC_GET_ENCRYPTION_POLICY
				51	FS_IOC_SET_ENCRYPTION_POLICY
				52	FS_IOC_ADD_ENCRYPTION_KEY
				53	FS_IOC_REMOVE_ENCRYPTION_KEY
				54	};
				55
				56	# Only vold and init should ever set file-based encryption policies.
				57	neverallowxperm {
				58	domain
				59	-vold
				60	-init
				61	-vendor_init
				62	} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
				63
				64	# Only vold should ever add/remove file-based encryption keys.
				65	neverallowxperm {
				66	domain
				67	-vold
				68	} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY };
				69
				70	# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
				71	# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
				72	# location of the file's blocks on the raw block device to erase.
				73	allowxperm vold {
				74	vold_data_file
				75	vold_metadata_file
				76	}:file ioctl {
				77	F2FS_IOC_SEC_TRIM_FILE
				78	FS_IOC_FIEMAP
				79	};
				80
				81	typeattribute vold mlstrustedsubject;
				82	allow vold self:process setfscreate;
				83	allow vold system_file:file x_file_perms;
				84	not_full_treble(`allow vold vendor_file:file x_file_perms;')
				85	allow vold block_device:dir create_dir_perms;
				86	allow vold device:dir write;
				87	allow vold devpts:chr_file rw_file_perms;
				88	allow vold rootfs:dir mounton;
				89	allow vold sdcard_type:dir mounton; # TODO: deprecated in M
				90	allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
				91	allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
				92	allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
				93
				94	# Manage locations where storage is mounted
				95	allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
				96	allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
				97
				98	# Access to storage that backs emulated FUSE daemons for migration optimization
				99	allow vold media_rw_data_file:dir create_dir_perms;
				100	allow vold media_rw_data_file:file create_file_perms;
				101	# Allow mounting (lower filesystem) on parts of media for performance
				102	allow vold media_rw_data_file:dir mounton;
				103
				104	# Allow setting extended attributes (for project quota IDs) on files and dirs
				105	# and to enable project ID inheritance through FS_IOC_SETFLAGS
				106	allowxperm vold media_rw_data_file:{ dir file } ioctl {
				107	FS_IOC_FSGETXATTR
				108	FS_IOC_FSSETXATTR
				109	FS_IOC_GETFLAGS
				110	FS_IOC_SETFLAGS
				111	};
				112
				113	# Allow mounting of storage devices
				114	allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
				115
				116	# Manage per-user primary symlinks
				117	allow vold mnt_user_file:dir { create_dir_perms mounton };
				118	allow vold mnt_user_file:lnk_file create_file_perms;
				119	allow vold mnt_user_file:file create_file_perms;
				120
				121	# Manage per-user pass_through primary symlinks
				122	allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
				123	allow vold mnt_pass_through_file:lnk_file create_file_perms;
				124
				125	# Allow to create and mount expanded storage
				126	allow vold mnt_expand_file:dir { create_dir_perms mounton };
				127	allow vold apk_data_file:dir { create getattr setattr };
				128	allow vold shell_data_file:dir { create getattr setattr };
				129
				130	# Allow to mount incremental file system on /data/incremental and create files
				131	allow vold apk_data_file:dir { mounton rw_dir_perms };
				132	# Allow to create and write files in /data/incremental
				133	allow vold apk_data_file:file { rw_file_perms unlink };
				134	# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
				135	allow vold apk_tmp_file:dir { mounton r_dir_perms };
				136	# Allow to read incremental control file and call selinux restorecon on it
				137	allow vold incremental_control_file:file { r_file_perms relabelto };
				138
				139	allow vold tmpfs:filesystem { mount unmount };
				140	allow vold tmpfs:dir create_dir_perms;
				141	allow vold tmpfs:dir mounton;
				142	allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
				143	allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
				144	allow vold loop_control_device:chr_file rw_file_perms;
				145	allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
				146	allowxperm vold loop_device:blk_file ioctl {
				147	LOOP_CLR_FD
				148	LOOP_CTL_GET_FREE
				149	LOOP_GET_STATUS64
				150	LOOP_SET_FD
				151	LOOP_SET_STATUS64
				152	};
				153	allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
				154	allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
				155	allow vold dm_device:chr_file rw_file_perms;
				156	allow vold dm_device:blk_file rw_file_perms;
				157	allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD };
				158	# For vold Process::killProcessesWithOpenFiles function.
				159	allow vold domain:dir r_dir_perms;
				160	allow vold domain:{ file lnk_file } r_file_perms;
				161	allow vold domain:process { signal sigkill };
				162	allow vold self:global_capability_class_set { sys_ptrace kill };
				163
				164	allow vold kmsg_device:chr_file rw_file_perms;
				165
				166	# Run fsck in the fsck domain.
				167	allow vold fsck_exec:file { r_file_perms execute };
				168
				169	# Log fsck results
				170	allow vold fscklogs:dir rw_dir_perms;
				171	allow vold fscklogs:file create_file_perms;
				172
				173	#
				174	# Rules to support encrypted fs support.
				175	#
				176
				177	# Unmount and mount the fs.
				178	allow vold labeledfs:filesystem { mount unmount remount };
				179
				180	# Access /efs/userdata_footer.
				181	# XXX Split into a separate type?
				182	allow vold efs_file:file rw_file_perms;
				183
				184	# Create and mount on /data/tmp_mnt and management of expansion mounts
				185	allow vold {
				186	system_data_file
				187	system_data_root_file
				188	}:dir { create rw_dir_perms mounton setattr rmdir };
				189	allow vold system_data_file:lnk_file getattr;
				190
				191	# Vold create users in /data/vendor_{ce,de}/[0-9]+
				192	allow vold vendor_data_file:dir create_dir_perms;
				193
				194	# for secdiscard
				195	allow vold system_data_file:file read;
				196
				197	# Set scheduling policy of kernel processes
				198	allow vold kernel:process setsched;
				199
				200	# ASEC
				201	allow vold asec_image_file:file create_file_perms;
				202	allow vold asec_image_file:dir rw_dir_perms;
				203	allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
				204	allow vold asec_public_file:dir { relabelto setattr };
				205	allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
				206	allow vold asec_public_file:file { relabelto setattr };
				207	# restorecon files in asec containers created on 4.2 or earlier.
				208	allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
				209	allow vold unlabeled:file { r_file_perms setattr relabelfrom };
				210
				211	# Access to FUSE control filesystem to hard-abort FUSE mounts
				212	allow vold fusectlfs:file rw_file_perms;
				213	allow vold fusectlfs:dir rw_dir_perms;
				214
				215	# Handle wake locks (used for device encryption)
				216	wakelock_use(vold)
				217
				218	# Allow vold to publish a binder service and make binder calls.
				219	binder_use(vold)
				220	add_service(vold, vold_service)
				221
				222	# Allow vold to call into the system server so it can check permissions.
				223	binder_call(vold, system_server)
				224	allow vold permission_service:service_manager find;
				225
				226	# talk to batteryservice
				227	binder_call(vold, healthd)
				228
				229	# talk to keymaster
				230	hal_client_domain(vold, hal_keymaster)
				231
				232	# talk to health storage HAL
				233	hal_client_domain(vold, hal_health_storage)
				234
				235	# talk to bootloader HAL
				236	full_treble_only(`hal_client_domain(vold, hal_bootctl)')
				237
				238	# Access userdata block device.
				239	allow vold userdata_block_device:blk_file rw_file_perms;
				240	allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
				241
				242	# Access metadata block device used for encryption meta-data.
				243	allow vold metadata_block_device:blk_file rw_file_perms;
				244	allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
				245
				246	# Allow vold to manipulate /data/unencrypted
				247	allow vold unencrypted_data_file:{ file } create_file_perms;
				248	allow vold unencrypted_data_file:dir create_dir_perms;
				249
				250	# Write to /proc/sys/vm/drop_caches
				251	allow vold proc_drop_caches:file w_file_perms;
				252
				253	# Give vold a place where only vold can store files; everyone else is off limits
				254	allow vold vold_data_file:dir create_dir_perms;
				255	allow vold vold_data_file:file create_file_perms;
				256
				257	# And a similar place in the metadata partition
				258	allow vold vold_metadata_file:dir create_dir_perms;
				259	allow vold vold_metadata_file:file create_file_perms;
				260
				261	# linux keyring configuration
				262	allow vold init:key { write search setattr };
				263	allow vold vold:key { write search setattr };
				264
				265	# vold temporarily changes its priority when running benchmarks
				266	allow vold self:global_capability_class_set sys_nice;
				267
				268	# vold needs to chroot into app namespaces to remount when runtime permissions change
				269	allow vold self:global_capability_class_set sys_chroot;
				270	allow vold storage_file:dir mounton;
				271
				272	# For AppFuse.
				273	allow vold fuse_device:chr_file rw_file_perms;
				274	allow vold fuse:filesystem { relabelfrom };
				275	allow vold app_fusefs:filesystem { relabelfrom relabelto };
				276	allow vold app_fusefs:filesystem { mount unmount };
				277	allow vold app_fuse_file:dir rw_dir_perms;
				278	allow vold app_fuse_file:file { read write open getattr append };
				279
				280	# MoveTask.cpp executes cp and rm
				281	allow vold toolbox_exec:file rx_file_perms;
				282
				283	# Prepare profile dir for users.
				284	allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
				285
				286	# Raw writes to misc block device
				287	allow vold misc_block_device:blk_file w_file_perms;
				288
				289	# vold might need to search or mount /mnt/vendor/*
				290	allow vold mnt_vendor_file:dir search;
				291
				292	dontaudit vold self:global_capability_class_set sys_resource;
				293
				294	# Allow ReadDefaultFstab().
				295	read_fstab(vold)
				296
				297	# vold might need to search loopback apex files
				298	allow vold vendor_apex_file:file r_file_perms;
				299
				300	neverallow {
				301	domain
				302	-vold
				303	-vold_prepare_subdirs
				304	} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
				305
				306	neverallow {
				307	domain
				308	-init
				309	-vold
				310	-vold_prepare_subdirs
				311	} vold_data_file:dir *;
				312
				313	neverallow {
				314	domain
				315	-init
				316	-vold
				317	} vold_metadata_file:dir *;
				318
				319	neverallow {
				320	domain
				321	-kernel
				322	-vold
				323	-vold_prepare_subdirs
				324	} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
				325
				326	neverallow {
				327	domain
				328	-init
				329	-vold
				330	-vold_prepare_subdirs
				331	} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
				332
				333	neverallow {
				334	domain
				335	-init
				336	-kernel
				337	-vold
				338	-vold_prepare_subdirs
				339	} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
				340
				341	neverallow { domain -vold -init } restorecon_prop:property_service set;
				342
				343	neverallow vold {
				344	domain
				345	-hal_health_storage_server
				346	-hal_keymaster_server
				347	-system_suspend_server
				348	-hal_bootctl_server
				349	-healthd
				350	-hwservicemanager
				351	-iorapd_service
				352	-keystore
				353	-servicemanager
				354	-system_server
				355	userdebug_or_eng(`-su')
				356	}:binder call;
				357
				358	neverallow vold fsck_exec:file execute_no_trans;
				359	neverallow { domain -init } vold:process { transition dyntransition };
				360	neverallow vold *:process ptrace;
				361	neverallow vold :rawip_socket ;