Blame - private/vold.te - android_system_sepolicy

blob: 4da11da06b54387f5691fa690580fb96798ed664 [file] [log] [blame]

Alex Klyubin	f5446eb	2017-03-23 14:27:32 -0700	[diff] [blame]	1	typeattribute vold coredomain;
				2
dcashman	cc39f63	2016-07-22 13:13:11 -0700	[diff] [blame]	3	init_daemon_domain(vold)
				4
				5	# Switch to more restrictive domains when executing common tools
				6	domain_auto_trans(vold, sgdisk_exec, sgdisk);
				7	domain_auto_trans(vold, sdcardd_exec, sdcardd);
Alfred Piccioni	30ae427	2023-01-17 18:22:34 +0100	[diff] [blame]	8	domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
dcashman	cc39f63	2016-07-22 13:13:11 -0700	[diff] [blame]	9
Kelvin Zhang	2b41362	2023-06-26 14:52:27 -0700	[diff] [blame]	10	# Switch to e2fs domain when running mkfs.ext4 to format a partition
				11	domain_auto_trans(vold, e2fs_exec, e2fs);
				12
				13
dcashman	cc39f63	2016-07-22 13:13:11 -0700	[diff] [blame]	14	# For a handful of probing tools, we choose an even more restrictive
				15	# domain when working with untrusted block devices
Paul Crowley	f9f7539	2018-11-30 15:58:26 -0800	[diff] [blame]	16	domain_trans(vold, blkid_exec, blkid);
				17	domain_trans(vold, blkid_exec, blkid_untrusted);
dcashman	cc39f63	2016-07-22 13:13:11 -0700	[diff] [blame]	18	domain_trans(vold, fsck_exec, fsck);
				19	domain_trans(vold, fsck_exec, fsck_untrusted);
				20
				21	# Newly created storage dirs are always treated as mount stubs to prevent us
				22	# from accidentally writing when the mount point isn't present.
				23	type_transition vold storage_file:dir storage_stub_file;
				24	type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
Inseob Kim	55e5c9b	2020-03-04 17:20:35 +0900	[diff] [blame]	25
				26	# Property Service
Inseob Kim	3f5a7d2	2020-04-06 20:49:17 +0900	[diff] [blame]	27	get_prop(vold, vold_config_prop)
Martijn Coenen	01234d3	2020-04-10 14:11:49 +0200	[diff] [blame]	28	get_prop(vold, storage_config_prop);
Songchun Fan	9fdcbcd	2020-04-28 13:24:54 -0700	[diff] [blame]	29	get_prop(vold, incremental_prop);
Howard Chen	8720492	2021-09-16 09:55:50 +0800	[diff] [blame]	30	get_prop(vold, gsid_prop);
Inseob Kim	3f5a7d2	2020-04-06 20:49:17 +0900	[diff] [blame]	31
Inseob Kim	55e5c9b	2020-03-04 17:20:35 +0900	[diff] [blame]	32	set_prop(vold, vold_prop)
Inseob Kim	3f5a7d2	2020-04-06 20:49:17 +0900	[diff] [blame]	33	set_prop(vold, vold_status_prop)
Inseob Kim	55e5c9b	2020-03-04 17:20:35 +0900	[diff] [blame]	34	set_prop(vold, powerctl_prop)
				35	set_prop(vold, ctl_fuse_prop)
				36	set_prop(vold, restorecon_prop)
				37	set_prop(vold, ota_prop)
				38	set_prop(vold, boottime_prop)
Inseob Kim	42c7d89	2020-03-04 17:20:35 +0900	[diff] [blame]	39	set_prop(vold, boottime_public_prop)
Janis Danisevskis	32d7738	2020-07-31 22:22:49 -0700	[diff] [blame]	40
				41	# Vold will use Keystore instead of using Keymint directly. But it still needs
				42	# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
				43	allow vold vold_key:keystore2_key {
Satya Tangirala	0653374	2021-03-08 09:48:42 -0800	[diff] [blame]	44	convert_storage_key_to_ephemeral
Janis Danisevskis	32d7738	2020-07-31 22:22:49 -0700	[diff] [blame]	45	delete
				46	get_info
Janis Danisevskis	32d7738	2020-07-31 22:22:49 -0700	[diff] [blame]	47	manage_blob
				48	rebind
				49	req_forced_op
				50	update
				51	use
				52	};
Xin Li	11da9e6	2020-08-29 01:45:24 -0700	[diff] [blame]	53
Satya Tangirala	a999004	2021-03-01 02:53:46 -0800	[diff] [blame]	54	# vold needs to call keystore methods
				55	allow vold keystore:binder call;
				56
Satya Tangirala	5ef8686	2021-03-11 03:57:03 -0800	[diff] [blame]	57	# vold needs to find keystore2 services
Satya Tangirala	a999004	2021-03-01 02:53:46 -0800	[diff] [blame]	58	allow vold keystore_service:service_manager find;
Satya Tangirala	5ef8686	2021-03-11 03:57:03 -0800	[diff] [blame]	59	allow vold keystore_maintenance_service:service_manager find;
				60
Paul Crowley	bf29c3a	2021-08-06 15:11:53 -0700	[diff] [blame]	61	# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
Satya Tangirala	5ef8686	2021-03-11 03:57:03 -0800	[diff] [blame]	62	allow vold keystore:keystore2 early_boot_ended;
Paul Crowley	bf29c3a	2021-08-06 15:11:53 -0700	[diff] [blame]	63	allow vold keystore:keystore2 delete_all_keys;
Satya Tangirala	5ef8686	2021-03-11 03:57:03 -0800	[diff] [blame]	64
Eric Biggers	9a59923	2022-05-04 22:18:02 +0000	[diff] [blame]	65	# Allow vold to create and delete per-user directories like /data/user/$userId.
				66	allow vold {
				67	media_userdir_file
				68	system_userdir_file
				69	vendor_userdir_file
				70	}:dir {
				71	add_name
				72	remove_name
				73	write
				74	};
				75
Inseob Kim	75806ef	2024-03-27 17:18:41 +0900	[diff] [blame]	76	# Read already opened /cache files.
				77	allow vold cache_file:dir r_dir_perms;
				78	allow vold cache_file:file { getattr read };
				79	allow vold cache_file:lnk_file r_file_perms;
				80
				81	r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
				82	# XXX Label sysfs files with a specific type?
				83	allow vold {
				84	sysfs # writing to /sys/*/uevent during coldboot.
				85	sysfs_devices_block
				86	sysfs_dm
				87	sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
				88	sysfs_usb
				89	sysfs_zram_uevent
				90	sysfs_fs_f2fs
				91	}:file w_file_perms;
				92
				93	r_dir_file(vold, rootfs)
				94	r_dir_file(vold, metadata_file)
				95	allow vold {
				96	proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
				97	proc_bootconfig
				98	proc_cmdline
				99	proc_drop_caches
				100	proc_filesystems
				101	proc_meminfo
				102	proc_mounts
				103	}:file r_file_perms;
				104
				105	#Get file contexts
				106	allow vold file_contexts_file:file r_file_perms;
				107
				108	# Allow us to jump into execution domains of above tools
				109	allow vold self:process setexec;
				110
				111	# For formatting adoptable storage devices
				112	allow vold e2fs_exec:file rx_file_perms;
				113
				114	# Run fstrim on mounted partitions
				115	# allowxperm still requires the ioctl permission for the individual type
				116	allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
				117
				118	# Get/set file-based encryption policies on dirs in /data and adoptable storage,
				119	# and add/remove file-based encryption keys.
				120	allowxperm vold data_file_type:dir ioctl {
				121	FS_IOC_GET_ENCRYPTION_POLICY
				122	FS_IOC_SET_ENCRYPTION_POLICY
				123	FS_IOC_ADD_ENCRYPTION_KEY
				124	FS_IOC_REMOVE_ENCRYPTION_KEY
				125	FS_IOC_GET_ENCRYPTION_KEY_STATUS
				126	};
				127
				128	# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
				129	# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
				130	# location of the file's blocks on the raw block device to erase.
				131	allowxperm vold {
				132	vold_data_file
				133	vold_metadata_file
				134	}:file ioctl {
				135	F2FS_IOC_SEC_TRIM_FILE
				136	FS_IOC_FIEMAP
				137	};
				138
				139	typeattribute vold mlstrustedsubject;
				140	allow vold self:process setfscreate;
				141	allow vold system_file:file x_file_perms;
				142	not_full_treble(`allow vold vendor_file:file x_file_perms;')
				143	allow vold block_device:dir create_dir_perms;
				144	allow vold device:dir write;
				145	allow vold devpts:chr_file rw_file_perms;
				146	allow vold rootfs:dir mounton;
				147	allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
				148	allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
				149
				150	# Manage locations where storage is mounted
				151	allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
				152	allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
				153
				154	# Access to storage that backs emulated FUSE daemons for migration optimization
				155	allow vold media_rw_data_file:dir create_dir_perms;
				156	allow vold media_rw_data_file:file create_file_perms;
				157	# Allow mounting (lower filesystem) on parts of media for performance
				158	allow vold media_rw_data_file:dir mounton;
				159
				160	# Allow setting project quota IDs and enabling project ID inheritance on
				161	# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
				162	allowxperm vold media_rw_data_file:{ dir file } ioctl {
				163	FS_IOC_FSGETXATTR
				164	FS_IOC_FSSETXATTR
				165	FS_IOC_GETFLAGS
				166	FS_IOC_SETFLAGS
				167	};
				168
				169	# Allow mounting of storage devices
				170	allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
				171
				172	# Manage per-user primary symlinks
				173	allow vold mnt_user_file:dir { create_dir_perms mounton };
				174	allow vold mnt_user_file:lnk_file create_file_perms;
				175	allow vold mnt_user_file:file create_file_perms;
				176
				177	# Manage per-user pass_through primary symlinks
				178	allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
				179	allow vold mnt_pass_through_file:lnk_file create_file_perms;
				180
				181	# Allow to create and mount expanded storage
				182	allow vold mnt_expand_file:dir { create_dir_perms mounton };
				183	allow vold apk_data_file:dir { create getattr setattr };
				184	allow vold shell_data_file:dir { create getattr setattr };
				185	allow vold system_userdir_file:dir { create getattr setattr };
				186	allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
				187	# Needed to set the casefold flag on /mnt/expand/$volume/media
				188	allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };
				189
				190	# Allow to mount incremental file system on /data/incremental and create files
				191	allow vold apk_data_file:dir { mounton rw_dir_perms };
				192	# Allow to create and write files in /data/incremental
				193	allow vold apk_data_file:file { rw_file_perms unlink };
				194	# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
				195	allow vold apk_tmp_file:dir { mounton r_dir_perms };
				196	# Allow to read incremental control file and call selinux restorecon on it
				197	allow vold incremental_control_file:file { r_file_perms relabelto };
				198
				199	allow vold tmpfs:filesystem { mount unmount };
				200	allow vold tmpfs:dir create_dir_perms;
				201	allow vold tmpfs:dir mounton;
				202	allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
				203	allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
				204	allow vold loop_control_device:chr_file rw_file_perms;
				205	allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
				206	allowxperm vold loop_device:blk_file ioctl {
				207	LOOP_CLR_FD
				208	LOOP_CTL_GET_FREE
				209	LOOP_GET_STATUS64
				210	LOOP_SET_FD
				211	LOOP_SET_STATUS64
				212	};
				213	allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
				214	allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
				215	allow vold dm_device:chr_file rw_file_perms;
				216	allow vold dm_device:blk_file rw_file_perms;
				217	allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
				218	# For vold Process::killProcessesWithOpenFiles function.
				219	allow vold domain:dir r_dir_perms;
				220	allow vold domain:{ file lnk_file } r_file_perms;
				221	allow vold domain:process { signal sigkill };
				222	allow vold self:global_capability_class_set { sys_ptrace kill };
				223
				224	allow vold kmsg_device:chr_file rw_file_perms;
				225
				226	# Run fsck in the fsck domain.
				227	allow vold fsck_exec:file { r_file_perms execute };
				228
				229	# Log fsck results
				230	allow vold fscklogs:dir rw_dir_perms;
				231	allow vold fscklogs:file create_file_perms;
				232
				233	# Mount and unmount filesystems.
				234	allow vold labeledfs:filesystem { mount unmount remount };
				235
				236	# Create and mount on /data/tmp_mnt and management of expansion mounts
				237	#
				238	# Also rename per-user encrypted directories such as /data/user/10 from their
				239	# temporary name ("10.new") to their final name ("10").
				240	allow vold {
				241	system_data_file
				242	system_data_root_file
				243	}:dir { create_dir_perms mounton };
				244	allow vold system_data_file:lnk_file getattr;
				245
				246	# Vold create users in /data/vendor_{ce,de}/[0-9]+
				247	allow vold vendor_data_file:dir create_dir_perms;
				248
				249	# for secdiscard
				250	allow vold system_data_file:file read;
				251
				252	# Set scheduling policy of kernel processes
				253	allow vold kernel:process setsched;
				254
				255	# ASEC
				256	allow vold asec_image_file:file create_file_perms;
				257	allow vold asec_image_file:dir rw_dir_perms;
				258	allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
				259	allow vold asec_public_file:dir { relabelto setattr };
				260	allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
				261	allow vold asec_public_file:file { relabelto setattr };
				262	# restorecon files in asec containers created on 4.2 or earlier.
				263	allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
				264	allow vold unlabeled:file { r_file_perms setattr relabelfrom };
				265
				266	# Access to FUSE control filesystem to hard-abort FUSE mounts
				267	allow vold fusectlfs:file rw_file_perms;
				268	allow vold fusectlfs:dir rw_dir_perms;
				269
				270	# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
				271	wakelock_use(vold)
				272
				273	# Allow vold to publish a binder service and make binder calls.
				274	binder_use(vold)
				275	add_service(vold, vold_service)
				276
				277	# Allow vold to call into the system server so it can check permissions.
				278	binder_call(vold, system_server)
				279	allow vold permission_service:service_manager find;
				280
				281	# talk to health storage HAL
				282	hal_client_domain(vold, hal_health_storage)
				283
				284	# talk to bootloader HAL
				285	full_treble_only(`hal_client_domain(vold, hal_bootctl)')
				286
				287	# Access userdata block device.
				288	allow vold userdata_block_device:blk_file rw_file_perms;
				289	allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
				290
				291	# Access zoned block device.
				292	allow vold zoned_block_device:blk_file rw_file_perms;
				293
				294	# Access metadata block device used for encryption meta-data.
				295	allow vold metadata_block_device:blk_file rw_file_perms;
				296	allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
				297
				298	# Allow vold to manipulate /data/unencrypted
				299	allow vold unencrypted_data_file:{ file } create_file_perms;
				300	allow vold unencrypted_data_file:dir create_dir_perms;
				301
				302	# Write to /proc/sys/vm/drop_caches
				303	allow vold proc_drop_caches:file w_file_perms;
				304
				305	# Give vold a place where only vold can store files; everyone else is off limits
				306	allow vold vold_data_file:dir create_dir_perms;
				307	allow vold vold_data_file:file create_file_perms;
				308
				309	# And a similar place in the metadata partition
				310	allow vold vold_metadata_file:dir create_dir_perms;
				311	allow vold vold_metadata_file:file create_file_perms;
				312
				313	# linux keyring configuration
				314	allow vold init:key { write search setattr };
				315	allow vold vold:key { write search setattr };
				316
				317	# vold temporarily changes its priority when running benchmarks
				318	allow vold self:global_capability_class_set sys_nice;
				319
				320	# vold needs to chroot into app namespaces to remount when runtime permissions change
				321	allow vold self:global_capability_class_set sys_chroot;
				322	allow vold storage_file:dir mounton;
				323
				324	# For AppFuse.
				325	allow vold fuse_device:chr_file rw_file_perms;
				326	allow vold fuse:filesystem { relabelfrom };
				327	allow vold app_fusefs:filesystem { relabelfrom relabelto };
				328	allow vold app_fusefs:filesystem { mount unmount };
				329	allow vold app_fuse_file:dir rw_dir_perms;
				330	allow vold app_fuse_file:file { read write open getattr append };
				331
				332	# MoveStorage.cpp executes cp and rm
				333	allow vold toolbox_exec:file rx_file_perms;
				334
				335	# Prepare profile dir for users.
				336	allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
				337
				338	# Raw writes to misc block device
				339	allow vold misc_block_device:blk_file w_file_perms;
				340
				341	# vold might need to search or mount /mnt/vendor/*
				342	allow vold mnt_vendor_file:dir search;
				343
				344	dontaudit vold self:global_capability_class_set sys_resource;
				345
				346	# Allow ReadDefaultFstab().
				347	read_fstab(vold)
				348
				349	# vold might need to search loopback apex files
				350	allow vold vendor_apex_file:file r_file_perms;
				351
				352	###
				353	### Neverallow rules
				354	###
				355
				356	neverallow {
				357	domain
				358	-system_server
				359	-vdc
				360	-vold
				361	-update_verifier
				362	-apexd
				363	-gsid
				364	} vold_service:service_manager find;
				365
Eric Biggers	9a59923	2022-05-04 22:18:02 +0000	[diff] [blame]	366	# Only vold should create (and delete) per-user directories like
				367	# /data/user/$userId. This is very important, as these directories need to be
				368	# encrypted with per-user keys, which only vold can do. Encryption can only be
				369	# set up on empty directories, so creation and encryption must happen together.
Eric Biggers	9a59923	2022-05-04 22:18:02 +0000	[diff] [blame]	370	neverallow {
				371	domain
				372	-vold
				373	} {
Eric Biggers	9a59923	2022-05-04 22:18:02 +0000	[diff] [blame]	374	media_userdir_file
Eric Biggers	17369be	2022-05-11 05:33:07 +0000	[diff] [blame]	375	system_userdir_file
				376	vendor_userdir_file
Eric Biggers	9a59923	2022-05-04 22:18:02 +0000	[diff] [blame]	377	}:dir {
				378	add_name
				379	remove_name
				380	write
				381	};
Inseob Kim	75806ef	2024-03-27 17:18:41 +0900	[diff] [blame]	382
				383	# Only vold and init should ever set file-based encryption policies.
				384	neverallowxperm {
				385	domain
				386	-vold
				387	-init
				388	-vendor_init
				389	} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
				390
				391	# Only vold should ever add/remove file-based encryption keys.
				392	neverallowxperm {
				393	domain
				394	-vold
				395	} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };
				396
				397	neverallow {
				398	domain
				399	-vold
				400	-vold_prepare_subdirs
				401	} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
				402
				403	neverallow {
				404	domain
				405	-init
				406	-vold
				407	-vold_prepare_subdirs
				408	} vold_data_file:dir *;
				409
				410	neverallow {
				411	domain
				412	-init
				413	-vold
				414	} vold_metadata_file:dir *;
				415
				416	neverallow {
				417	domain
				418	-kernel
				419	-vold
				420	-vold_prepare_subdirs
				421	} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
				422
				423	neverallow {
				424	domain
				425	-init
				426	-vold
				427	-vold_prepare_subdirs
				428	} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
				429
				430	neverallow {
				431	domain
				432	-init
				433	-kernel
				434	-vold
				435	-vold_prepare_subdirs
				436	} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
				437
				438	neverallow { domain -vold -init } restorecon_prop:property_service set;
				439
				440	neverallow vold {
				441	domain
				442	-hal_health_storage_server
				443	-hal_keymaster_server
				444	-system_suspend_server
				445	-hal_bootctl_server
				446	-hwservicemanager
				447	-keystore
				448	-servicemanager
				449	-system_server
				450	userdebug_or_eng(`-su')
				451	}:binder call;
				452
				453	neverallow vold fsck_exec:file execute_no_trans;
				454	neverallow { domain -init } vold:process { transition dyntransition };
				455	neverallow vold *:process ptrace;
				456	neverallow vold :rawip_socket ;