Minimize public policy
Ideally, public should only contain APIs (types / attributes) for
vendor. The other statements like allow/neverallow/typeattributes are
regarded as implementation detail for platform and should be in private.
Bug: 232023812
Test: m selinux_policy
Test: diff <(git diff --staged | grep "^-" | cut -b2- | sort) \
<(git diff --staged | grep "^+" | cut -b2- | sort)
Test: remove comments on plat_sepolicy.cil, replace base_typeattr_*
to base_typeattr and then compare old and new plat_sepolicy.cil
Change-Id: I5e7d2da4465ab0216de6bacdf03077d37f6ffe12
diff --git a/private/vold.te b/private/vold.te
index 4256ac3..4da11da 100644
--- a/private/vold.te
+++ b/private/vold.te
@@ -62,16 +62,6 @@
allow vold keystore:keystore2 early_boot_ended;
allow vold keystore:keystore2 delete_all_keys;
-neverallow {
- domain
- -system_server
- -vdc
- -vold
- -update_verifier
- -apexd
- -gsid
-} vold_service:service_manager find;
-
# Allow vold to create and delete per-user directories like /data/user/$userId.
allow vold {
media_userdir_file
@@ -83,6 +73,296 @@
write
};
+# Read already opened /cache files.
+allow vold cache_file:dir r_dir_perms;
+allow vold cache_file:file { getattr read };
+allow vold cache_file:lnk_file r_file_perms;
+
+r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
+# XXX Label sysfs files with a specific type?
+allow vold {
+ sysfs # writing to /sys/*/uevent during coldboot.
+ sysfs_devices_block
+ sysfs_dm
+ sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
+ sysfs_usb
+ sysfs_zram_uevent
+ sysfs_fs_f2fs
+}:file w_file_perms;
+
+r_dir_file(vold, rootfs)
+r_dir_file(vold, metadata_file)
+allow vold {
+ proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
+ proc_bootconfig
+ proc_cmdline
+ proc_drop_caches
+ proc_filesystems
+ proc_meminfo
+ proc_mounts
+}:file r_file_perms;
+
+#Get file contexts
+allow vold file_contexts_file:file r_file_perms;
+
+# Allow us to jump into execution domains of above tools
+allow vold self:process setexec;
+
+# For formatting adoptable storage devices
+allow vold e2fs_exec:file rx_file_perms;
+
+# Run fstrim on mounted partitions
+# allowxperm still requires the ioctl permission for the individual type
+allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
+
+# Get/set file-based encryption policies on dirs in /data and adoptable storage,
+# and add/remove file-based encryption keys.
+allowxperm vold data_file_type:dir ioctl {
+ FS_IOC_GET_ENCRYPTION_POLICY
+ FS_IOC_SET_ENCRYPTION_POLICY
+ FS_IOC_ADD_ENCRYPTION_KEY
+ FS_IOC_REMOVE_ENCRYPTION_KEY
+ FS_IOC_GET_ENCRYPTION_KEY_STATUS
+};
+
+# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
+# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
+# location of the file's blocks on the raw block device to erase.
+allowxperm vold {
+ vold_data_file
+ vold_metadata_file
+}:file ioctl {
+ F2FS_IOC_SEC_TRIM_FILE
+ FS_IOC_FIEMAP
+};
+
+typeattribute vold mlstrustedsubject;
+allow vold self:process setfscreate;
+allow vold system_file:file x_file_perms;
+not_full_treble(`allow vold vendor_file:file x_file_perms;')
+allow vold block_device:dir create_dir_perms;
+allow vold device:dir write;
+allow vold devpts:chr_file rw_file_perms;
+allow vold rootfs:dir mounton;
+allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
+
+# Manage locations where storage is mounted
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
+
+# Access to storage that backs emulated FUSE daemons for migration optimization
+allow vold media_rw_data_file:dir create_dir_perms;
+allow vold media_rw_data_file:file create_file_perms;
+# Allow mounting (lower filesystem) on parts of media for performance
+allow vold media_rw_data_file:dir mounton;
+
+# Allow setting project quota IDs and enabling project ID inheritance on
+# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
+allowxperm vold media_rw_data_file:{ dir file } ioctl {
+ FS_IOC_FSGETXATTR
+ FS_IOC_FSSETXATTR
+ FS_IOC_GETFLAGS
+ FS_IOC_SETFLAGS
+};
+
+# Allow mounting of storage devices
+allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
+
+# Manage per-user primary symlinks
+allow vold mnt_user_file:dir { create_dir_perms mounton };
+allow vold mnt_user_file:lnk_file create_file_perms;
+allow vold mnt_user_file:file create_file_perms;
+
+# Manage per-user pass_through primary symlinks
+allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
+allow vold mnt_pass_through_file:lnk_file create_file_perms;
+
+# Allow to create and mount expanded storage
+allow vold mnt_expand_file:dir { create_dir_perms mounton };
+allow vold apk_data_file:dir { create getattr setattr };
+allow vold shell_data_file:dir { create getattr setattr };
+allow vold system_userdir_file:dir { create getattr setattr };
+allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
+# Needed to set the casefold flag on /mnt/expand/$volume/media
+allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };
+
+# Allow to mount incremental file system on /data/incremental and create files
+allow vold apk_data_file:dir { mounton rw_dir_perms };
+# Allow to create and write files in /data/incremental
+allow vold apk_data_file:file { rw_file_perms unlink };
+# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
+allow vold apk_tmp_file:dir { mounton r_dir_perms };
+# Allow to read incremental control file and call selinux restorecon on it
+allow vold incremental_control_file:file { r_file_perms relabelto };
+
+allow vold tmpfs:filesystem { mount unmount };
+allow vold tmpfs:dir create_dir_perms;
+allow vold tmpfs:dir mounton;
+allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
+allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
+allow vold loop_control_device:chr_file rw_file_perms;
+allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold loop_device:blk_file ioctl {
+ LOOP_CLR_FD
+ LOOP_CTL_GET_FREE
+ LOOP_GET_STATUS64
+ LOOP_SET_FD
+ LOOP_SET_STATUS64
+};
+allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
+allow vold dm_device:chr_file rw_file_perms;
+allow vold dm_device:blk_file rw_file_perms;
+allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
+# For vold Process::killProcessesWithOpenFiles function.
+allow vold domain:dir r_dir_perms;
+allow vold domain:{ file lnk_file } r_file_perms;
+allow vold domain:process { signal sigkill };
+allow vold self:global_capability_class_set { sys_ptrace kill };
+
+allow vold kmsg_device:chr_file rw_file_perms;
+
+# Run fsck in the fsck domain.
+allow vold fsck_exec:file { r_file_perms execute };
+
+# Log fsck results
+allow vold fscklogs:dir rw_dir_perms;
+allow vold fscklogs:file create_file_perms;
+
+# Mount and unmount filesystems.
+allow vold labeledfs:filesystem { mount unmount remount };
+
+# Create and mount on /data/tmp_mnt and management of expansion mounts
+#
+# Also rename per-user encrypted directories such as /data/user/10 from their
+# temporary name ("10.new") to their final name ("10").
+allow vold {
+ system_data_file
+ system_data_root_file
+}:dir { create_dir_perms mounton };
+allow vold system_data_file:lnk_file getattr;
+
+# Vold create users in /data/vendor_{ce,de}/[0-9]+
+allow vold vendor_data_file:dir create_dir_perms;
+
+# for secdiscard
+allow vold system_data_file:file read;
+
+# Set scheduling policy of kernel processes
+allow vold kernel:process setsched;
+
+# ASEC
+allow vold asec_image_file:file create_file_perms;
+allow vold asec_image_file:dir rw_dir_perms;
+allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
+allow vold asec_public_file:dir { relabelto setattr };
+allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
+allow vold asec_public_file:file { relabelto setattr };
+# restorecon files in asec containers created on 4.2 or earlier.
+allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
+allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
+# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
+wakelock_use(vold)
+
+# Allow vold to publish a binder service and make binder calls.
+binder_use(vold)
+add_service(vold, vold_service)
+
+# Allow vold to call into the system server so it can check permissions.
+binder_call(vold, system_server)
+allow vold permission_service:service_manager find;
+
+# talk to health storage HAL
+hal_client_domain(vold, hal_health_storage)
+
+# talk to bootloader HAL
+full_treble_only(`hal_client_domain(vold, hal_bootctl)')
+
+# Access userdata block device.
+allow vold userdata_block_device:blk_file rw_file_perms;
+allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
+
+# Access zoned block device.
+allow vold zoned_block_device:blk_file rw_file_perms;
+
+# Access metadata block device used for encryption meta-data.
+allow vold metadata_block_device:blk_file rw_file_perms;
+allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
+
+# Allow vold to manipulate /data/unencrypted
+allow vold unencrypted_data_file:{ file } create_file_perms;
+allow vold unencrypted_data_file:dir create_dir_perms;
+
+# Write to /proc/sys/vm/drop_caches
+allow vold proc_drop_caches:file w_file_perms;
+
+# Give vold a place where only vold can store files; everyone else is off limits
+allow vold vold_data_file:dir create_dir_perms;
+allow vold vold_data_file:file create_file_perms;
+
+# And a similar place in the metadata partition
+allow vold vold_metadata_file:dir create_dir_perms;
+allow vold vold_metadata_file:file create_file_perms;
+
+# linux keyring configuration
+allow vold init:key { write search setattr };
+allow vold vold:key { write search setattr };
+
+# vold temporarily changes its priority when running benchmarks
+allow vold self:global_capability_class_set sys_nice;
+
+# vold needs to chroot into app namespaces to remount when runtime permissions change
+allow vold self:global_capability_class_set sys_chroot;
+allow vold storage_file:dir mounton;
+
+# For AppFuse.
+allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
+
+# MoveStorage.cpp executes cp and rm
+allow vold toolbox_exec:file rx_file_perms;
+
+# Prepare profile dir for users.
+allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
+
+# Raw writes to misc block device
+allow vold misc_block_device:blk_file w_file_perms;
+
+# vold might need to search or mount /mnt/vendor/*
+allow vold mnt_vendor_file:dir search;
+
+dontaudit vold self:global_capability_class_set sys_resource;
+
+# Allow ReadDefaultFstab().
+read_fstab(vold)
+
+# vold might need to search loopback apex files
+allow vold vendor_apex_file:file r_file_perms;
+
+###
+### Neverallow rules
+###
+
+neverallow {
+ domain
+ -system_server
+ -vdc
+ -vold
+ -update_verifier
+ -apexd
+ -gsid
+} vold_service:service_manager find;
+
# Only vold should create (and delete) per-user directories like
# /data/user/$userId. This is very important, as these directories need to be
# encrypted with per-user keys, which only vold can do. Encryption can only be
@@ -99,3 +379,78 @@
remove_name
write
};
+
+# Only vold and init should ever set file-based encryption policies.
+neverallowxperm {
+ domain
+ -vold
+ -init
+ -vendor_init
+} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
+
+# Only vold should ever add/remove file-based encryption keys.
+neverallowxperm {
+ domain
+ -vold
+} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };
+
+neverallow {
+ domain
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:dir *;
+
+neverallow {
+ domain
+ -init
+ -vold
+} vold_metadata_file:dir *;
+
+neverallow {
+ domain
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -vold
+ -vold_prepare_subdirs
+} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
+
+neverallow {
+ domain
+ -init
+ -kernel
+ -vold
+ -vold_prepare_subdirs
+} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
+
+neverallow { domain -vold -init } restorecon_prop:property_service set;
+
+neverallow vold {
+ domain
+ -hal_health_storage_server
+ -hal_keymaster_server
+ -system_suspend_server
+ -hal_bootctl_server
+ -hwservicemanager
+ -keystore
+ -servicemanager
+ -system_server
+ userdebug_or_eng(`-su')
+}:binder call;
+
+neverallow vold fsck_exec:file execute_no_trans;
+neverallow { domain -init } vold:process { transition dyntransition };
+neverallow vold *:process ptrace;
+neverallow vold *:rawip_socket *;