Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 27b515e70a5f26b15cf9077328eff6bee74b01c7 / . / private / vold.te
blob: 7716bd1c4ce84f3d4b4ad936499af6ab47d12d6d [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]1typeattribute vold coredomain;
2
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]3init_daemon_domain(vold)
4
5# Switch to more restrictive domains when executing common tools
6domain_auto_trans(vold, sgdisk_exec, sgdisk);
7domain_auto_trans(vold, sdcardd_exec, sdcardd);
Alfred Piccioni30ae4272023-01-17 18:22:34 +0100[diff] [blame]8domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]9
Kelvin Zhang2b413622023-06-26 14:52:27 -0700[diff] [blame]10# Switch to e2fs domain when running mkfs.ext4 to format a partition
11domain_auto_trans(vold, e2fs_exec, e2fs);
12
13
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]14# For a handful of probing tools, we choose an even more restrictive
15# domain when working with untrusted block devices
Paul Crowleyf9f75392018-11-30 15:58:26 -0800[diff] [blame]16domain_trans(vold, blkid_exec, blkid);
17domain_trans(vold, blkid_exec, blkid_untrusted);
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]18domain_trans(vold, fsck_exec, fsck);
19domain_trans(vold, fsck_exec, fsck_untrusted);
20
21# Newly created storage dirs are always treated as mount stubs to prevent us
22# from accidentally writing when the mount point isn't present.
23type_transition vold storage_file:dir storage_stub_file;
24type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]25
26# Property Service
Inseob Kim3f5a7d22020-04-06 20:49:17 +0900[diff] [blame]27get_prop(vold, vold_config_prop)
Martijn Coenen01234d32020-04-10 14:11:49 +0200[diff] [blame]28get_prop(vold, storage_config_prop);
Songchun Fan9fdcbcd2020-04-28 13:24:54 -0700[diff] [blame]29get_prop(vold, incremental_prop);
Howard Chen87204922021-09-16 09:55:50 +0800[diff] [blame]30get_prop(vold, gsid_prop);
Inseob Kim3f5a7d22020-04-06 20:49:17 +0900[diff] [blame]31
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]32set_prop(vold, vold_prop)
Inseob Kim3f5a7d22020-04-06 20:49:17 +0900[diff] [blame]33set_prop(vold, vold_status_prop)
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]34set_prop(vold, powerctl_prop)
35set_prop(vold, ctl_fuse_prop)
36set_prop(vold, restorecon_prop)
37set_prop(vold, ota_prop)
38set_prop(vold, boottime_prop)
Inseob Kim42c7d892020-03-04 17:20:35 +0900[diff] [blame]39set_prop(vold, boottime_public_prop)
Janis Danisevskis32d77382020-07-31 22:22:49 -0700[diff] [blame]40
41# Vold will use Keystore instead of using Keymint directly. But it still needs
42# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
43allow vold vold_key:keystore2_key {
Satya Tangirala06533742021-03-08 09:48:42 -0800[diff] [blame]44 convert_storage_key_to_ephemeral
Janis Danisevskis32d77382020-07-31 22:22:49 -0700[diff] [blame]45 delete
46 get_info
Janis Danisevskis32d77382020-07-31 22:22:49 -0700[diff] [blame]47 manage_blob
48 rebind
49 req_forced_op
50 update
51 use
52};
Xin Li11da9e62020-08-29 01:45:24 -0700[diff] [blame]53
Satya Tangiralaa9990042021-03-01 02:53:46 -0800[diff] [blame]54# vold needs to call keystore methods
55allow vold keystore:binder call;
56
Satya Tangirala5ef86862021-03-11 03:57:03 -0800[diff] [blame]57# vold needs to find keystore2 services
Satya Tangiralaa9990042021-03-01 02:53:46 -0800[diff] [blame]58allow vold keystore_service:service_manager find;
Satya Tangirala5ef86862021-03-11 03:57:03 -0800[diff] [blame]59allow vold keystore_maintenance_service:service_manager find;
60
Paul Crowleybf29c3a2021-08-06 15:11:53 -0700[diff] [blame]61# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
Satya Tangirala5ef86862021-03-11 03:57:03 -0800[diff] [blame]62allow vold keystore:keystore2 early_boot_ended;
Paul Crowleybf29c3a2021-08-06 15:11:53 -0700[diff] [blame]63allow vold keystore:keystore2 delete_all_keys;
Satya Tangirala5ef86862021-03-11 03:57:03 -0800[diff] [blame]64
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame^]65is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
66 # Allow vold to encrypt storage area directories on behalf of apps.
67 allow vold {
68 storage_area_dir
69 storage_area_app_dir
70 }:dir {
71 getattr
72 ioctl # for FS_IOC_SET_ENCRYPTION_POLICY
73 open
74 read # for open(O_RDONLY) for ioctl
75 search
76 };
77')
78
79# when a storage area is created (with `openStorageArea`), vold creates the key
80# and when a storage area is deleted (with `deleteStorageArea`), vold deletes the key
81is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
82 allow vold storage_area_key_file:file create_file_perms;
83 allow vold storage_area_key_file:dir create_dir_perms;
84')
85
Eric Biggers9a599232022-05-04 22:18:02 +0000[diff] [blame]86# Allow vold to create and delete per-user directories like /data/user/$userId.
87allow vold {
88 media_userdir_file
89 system_userdir_file
90 vendor_userdir_file
91}:dir {
92 add_name
93 remove_name
94 write
95};
96
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]97# Read already opened /cache files.
98allow vold cache_file:dir r_dir_perms;
99allow vold cache_file:file { getattr read };
100allow vold cache_file:lnk_file r_file_perms;
101
102r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
103# XXX Label sysfs files with a specific type?
104allow vold {
105 sysfs # writing to /sys/*/uevent during coldboot.
106 sysfs_devices_block
107 sysfs_dm
108 sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
109 sysfs_usb
110 sysfs_zram_uevent
111 sysfs_fs_f2fs
112}:file w_file_perms;
113
114r_dir_file(vold, rootfs)
115r_dir_file(vold, metadata_file)
116allow vold {
117 proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
118 proc_bootconfig
119 proc_cmdline
120 proc_drop_caches
121 proc_filesystems
122 proc_meminfo
123 proc_mounts
124}:file r_file_perms;
125
126#Get file contexts
127allow vold file_contexts_file:file r_file_perms;
128
129# Allow us to jump into execution domains of above tools
130allow vold self:process setexec;
131
132# For formatting adoptable storage devices
133allow vold e2fs_exec:file rx_file_perms;
134
135# Run fstrim on mounted partitions
136# allowxperm still requires the ioctl permission for the individual type
137allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
138
139# Get/set file-based encryption policies on dirs in /data and adoptable storage,
140# and add/remove file-based encryption keys.
141allowxperm vold data_file_type:dir ioctl {
142 FS_IOC_GET_ENCRYPTION_POLICY
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame^]143 FS_IOC_GET_ENCRYPTION_POLICY_EX
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]144 FS_IOC_SET_ENCRYPTION_POLICY
145 FS_IOC_ADD_ENCRYPTION_KEY
146 FS_IOC_REMOVE_ENCRYPTION_KEY
147 FS_IOC_GET_ENCRYPTION_KEY_STATUS
148};
149
150# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
151# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
152# location of the file's blocks on the raw block device to erase.
153allowxperm vold {
154 vold_data_file
155 vold_metadata_file
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame^]156 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]157}:file ioctl {
158 F2FS_IOC_SEC_TRIM_FILE
159 FS_IOC_FIEMAP
160};
161
162typeattribute vold mlstrustedsubject;
163allow vold self:process setfscreate;
164allow vold system_file:file x_file_perms;
165not_full_treble(`allow vold vendor_file:file x_file_perms;')
166allow vold block_device:dir create_dir_perms;
167allow vold device:dir write;
168allow vold devpts:chr_file rw_file_perms;
169allow vold rootfs:dir mounton;
170allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
171allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
172
173# Manage locations where storage is mounted
174allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
175allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
176
177# Access to storage that backs emulated FUSE daemons for migration optimization
178allow vold media_rw_data_file:dir create_dir_perms;
179allow vold media_rw_data_file:file create_file_perms;
180# Allow mounting (lower filesystem) on parts of media for performance
181allow vold media_rw_data_file:dir mounton;
182
183# Allow setting project quota IDs and enabling project ID inheritance on
184# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
185allowxperm vold media_rw_data_file:{ dir file } ioctl {
186 FS_IOC_FSGETXATTR
187 FS_IOC_FSSETXATTR
188 FS_IOC_GETFLAGS
189 FS_IOC_SETFLAGS
190};
191
192# Allow mounting of storage devices
193allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
194
195# Manage per-user primary symlinks
196allow vold mnt_user_file:dir { create_dir_perms mounton };
197allow vold mnt_user_file:lnk_file create_file_perms;
198allow vold mnt_user_file:file create_file_perms;
199
200# Manage per-user pass_through primary symlinks
201allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
202allow vold mnt_pass_through_file:lnk_file create_file_perms;
203
204# Allow to create and mount expanded storage
205allow vold mnt_expand_file:dir { create_dir_perms mounton };
206allow vold apk_data_file:dir { create getattr setattr };
207allow vold shell_data_file:dir { create getattr setattr };
208allow vold system_userdir_file:dir { create getattr setattr };
209allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
210# Needed to set the casefold flag on /mnt/expand/$volume/media
211allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };
212
213# Allow to mount incremental file system on /data/incremental and create files
214allow vold apk_data_file:dir { mounton rw_dir_perms };
215# Allow to create and write files in /data/incremental
216allow vold apk_data_file:file { rw_file_perms unlink };
217# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
218allow vold apk_tmp_file:dir { mounton r_dir_perms };
219# Allow to read incremental control file and call selinux restorecon on it
220allow vold incremental_control_file:file { r_file_perms relabelto };
221
222allow vold tmpfs:filesystem { mount unmount };
223allow vold tmpfs:dir create_dir_perms;
224allow vold tmpfs:dir mounton;
225allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
226allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
227allow vold loop_control_device:chr_file rw_file_perms;
228allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
229allowxperm vold loop_device:blk_file ioctl {
230 LOOP_CLR_FD
231 LOOP_CTL_GET_FREE
232 LOOP_GET_STATUS64
233 LOOP_SET_FD
234 LOOP_SET_STATUS64
235};
236allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
237allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
238allow vold dm_device:chr_file rw_file_perms;
239allow vold dm_device:blk_file rw_file_perms;
240allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
241# For vold Process::killProcessesWithOpenFiles function.
242allow vold domain:dir r_dir_perms;
243allow vold domain:{ file lnk_file } r_file_perms;
244allow vold domain:process { signal sigkill };
245allow vold self:global_capability_class_set { sys_ptrace kill };
246
247allow vold kmsg_device:chr_file rw_file_perms;
248
249# Run fsck in the fsck domain.
250allow vold fsck_exec:file { r_file_perms execute };
251
252# Log fsck results
253allow vold fscklogs:dir rw_dir_perms;
254allow vold fscklogs:file create_file_perms;
255
256# Mount and unmount filesystems.
257allow vold labeledfs:filesystem { mount unmount remount };
258
259# Create and mount on /data/tmp_mnt and management of expansion mounts
260#
261# Also rename per-user encrypted directories such as /data/user/10 from their
262# temporary name ("10.new") to their final name ("10").
263allow vold {
264 system_data_file
265 system_data_root_file
266}:dir { create_dir_perms mounton };
267allow vold system_data_file:lnk_file getattr;
268
269# Vold create users in /data/vendor_{ce,de}/[0-9]+
270allow vold vendor_data_file:dir create_dir_perms;
271
272# for secdiscard
273allow vold system_data_file:file read;
274
275# Set scheduling policy of kernel processes
276allow vold kernel:process setsched;
277
278# ASEC
279allow vold asec_image_file:file create_file_perms;
280allow vold asec_image_file:dir rw_dir_perms;
281allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
282allow vold asec_public_file:dir { relabelto setattr };
283allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
284allow vold asec_public_file:file { relabelto setattr };
285# restorecon files in asec containers created on 4.2 or earlier.
286allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
287allow vold unlabeled:file { r_file_perms setattr relabelfrom };
288
289# Access to FUSE control filesystem to hard-abort FUSE mounts
290allow vold fusectlfs:file rw_file_perms;
291allow vold fusectlfs:dir rw_dir_perms;
292
293# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
294wakelock_use(vold)
295
296# Allow vold to publish a binder service and make binder calls.
297binder_use(vold)
298add_service(vold, vold_service)
299
300# Allow vold to call into the system server so it can check permissions.
301binder_call(vold, system_server)
302allow vold permission_service:service_manager find;
303
304# talk to health storage HAL
305hal_client_domain(vold, hal_health_storage)
306
307# talk to bootloader HAL
308full_treble_only(`hal_client_domain(vold, hal_bootctl)')
309
310# Access userdata block device.
311allow vold userdata_block_device:blk_file rw_file_perms;
312allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
313
314# Access zoned block device.
315allow vold zoned_block_device:blk_file rw_file_perms;
316
317# Access metadata block device used for encryption meta-data.
318allow vold metadata_block_device:blk_file rw_file_perms;
319allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
320
321# Allow vold to manipulate /data/unencrypted
322allow vold unencrypted_data_file:{ file } create_file_perms;
323allow vold unencrypted_data_file:dir create_dir_perms;
324
325# Write to /proc/sys/vm/drop_caches
326allow vold proc_drop_caches:file w_file_perms;
327
328# Give vold a place where only vold can store files; everyone else is off limits
329allow vold vold_data_file:dir create_dir_perms;
330allow vold vold_data_file:file create_file_perms;
331
332# And a similar place in the metadata partition
333allow vold vold_metadata_file:dir create_dir_perms;
334allow vold vold_metadata_file:file create_file_perms;
335
336# linux keyring configuration
337allow vold init:key { write search setattr };
338allow vold vold:key { write search setattr };
339
340# vold temporarily changes its priority when running benchmarks
341allow vold self:global_capability_class_set sys_nice;
342
343# vold needs to chroot into app namespaces to remount when runtime permissions change
344allow vold self:global_capability_class_set sys_chroot;
345allow vold storage_file:dir mounton;
346
347# For AppFuse.
348allow vold fuse_device:chr_file rw_file_perms;
349allow vold fuse:filesystem { relabelfrom };
350allow vold app_fusefs:filesystem { relabelfrom relabelto };
351allow vold app_fusefs:filesystem { mount unmount };
352allow vold app_fuse_file:dir rw_dir_perms;
353allow vold app_fuse_file:file { read write open getattr append };
354
355# MoveStorage.cpp executes cp and rm
356allow vold toolbox_exec:file rx_file_perms;
357
358# Prepare profile dir for users.
359allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
360
361# Raw writes to misc block device
362allow vold misc_block_device:blk_file w_file_perms;
363
364# vold might need to search or mount /mnt/vendor/*
365allow vold mnt_vendor_file:dir search;
366
367dontaudit vold self:global_capability_class_set sys_resource;
368
369# Allow ReadDefaultFstab().
370read_fstab(vold)
371
372# vold might need to search loopback apex files
373allow vold vendor_apex_file:file r_file_perms;
374
375###
376### Neverallow rules
377###
378
379neverallow {
380 domain
381 -system_server
382 -vdc
383 -vold
384 -update_verifier
385 -apexd
386 -gsid
387} vold_service:service_manager find;
388
Eric Biggers9a599232022-05-04 22:18:02 +0000[diff] [blame]389# Only vold should create (and delete) per-user directories like
390# /data/user/$userId. This is very important, as these directories need to be
391# encrypted with per-user keys, which only vold can do. Encryption can only be
392# set up on empty directories, so creation and encryption must happen together.
Eric Biggers9a599232022-05-04 22:18:02 +0000[diff] [blame]393neverallow {
394 domain
395 -vold
396} {
Eric Biggers9a599232022-05-04 22:18:02 +0000[diff] [blame]397 media_userdir_file
Eric Biggers17369be2022-05-11 05:33:07 +0000[diff] [blame]398 system_userdir_file
399 vendor_userdir_file
Eric Biggers9a599232022-05-04 22:18:02 +0000[diff] [blame]400}:dir {
401 add_name
402 remove_name
403 write
404};
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]405
406# Only vold and init should ever set file-based encryption policies.
407neverallowxperm {
408 domain
409 -vold
410 -init
411 -vendor_init
412} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
413
414# Only vold should ever add/remove file-based encryption keys.
415neverallowxperm {
416 domain
417 -vold
418} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };
419
420neverallow {
421 domain
422 -vold
423 -vold_prepare_subdirs
424} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
425
426neverallow {
427 domain
428 -init
429 -vold
430 -vold_prepare_subdirs
431} vold_data_file:dir *;
432
433neverallow {
434 domain
435 -init
436 -vold
437} vold_metadata_file:dir *;
438
439neverallow {
440 domain
441 -kernel
442 -vold
443 -vold_prepare_subdirs
444} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
445
446neverallow {
447 domain
448 -init
449 -vold
450 -vold_prepare_subdirs
451} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
452
453neverallow {
454 domain
455 -init
456 -kernel
457 -vold
458 -vold_prepare_subdirs
459} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
460
461neverallow { domain -vold -init } restorecon_prop:property_service set;
462
463neverallow vold {
464 domain
465 -hal_health_storage_server
466 -hal_keymaster_server
467 -system_suspend_server
468 -hal_bootctl_server
469 -hwservicemanager
470 -keystore
471 -servicemanager
472 -system_server
473 userdebug_or_eng(`-su')
474}:binder call;
475
476neverallow vold fsck_exec:file execute_no_trans;
477neverallow { domain -init } vold:process { transition dyntransition };
478neverallow vold *:process ptrace;
479neverallow vold *:rawip_socket *;