Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 78bb83fb0a63cd8f2495298c166e6013dd18398c / . / private / vold.te
blob: 339877de01339515d687e18bd48620a9d74130f8 [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]1typeattribute vold coredomain;
2
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]3init_daemon_domain(vold)
4
5# Switch to more restrictive domains when executing common tools
6domain_auto_trans(vold, sgdisk_exec, sgdisk);
7domain_auto_trans(vold, sdcardd_exec, sdcardd);
Alfred Piccioni30ae4272023-01-17 18:22:34 +0100[diff] [blame]8domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]9
Kelvin Zhang2b413622023-06-26 14:52:27 -0700[diff] [blame]10# Switch to e2fs domain when running mkfs.ext4 to format a partition
11domain_auto_trans(vold, e2fs_exec, e2fs);
12
13
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]14# For a handful of probing tools, we choose an even more restrictive
15# domain when working with untrusted block devices
Paul Crowleyf9f75392018-11-30 15:58:26 -0800[diff] [blame]16domain_trans(vold, blkid_exec, blkid);
17domain_trans(vold, blkid_exec, blkid_untrusted);
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]18domain_trans(vold, fsck_exec, fsck);
19domain_trans(vold, fsck_exec, fsck_untrusted);
20
21# Newly created storage dirs are always treated as mount stubs to prevent us
22# from accidentally writing when the mount point isn't present.
23type_transition vold storage_file:dir storage_stub_file;
24type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]25
26# Property Service
Inseob Kim3f5a7d22020-04-06 20:49:17 +0900[diff] [blame]27get_prop(vold, vold_config_prop)
Martijn Coenen01234d32020-04-10 14:11:49 +0200[diff] [blame]28get_prop(vold, storage_config_prop);
Songchun Fan9fdcbcd2020-04-28 13:24:54 -0700[diff] [blame]29get_prop(vold, incremental_prop);
Howard Chen87204922021-09-16 09:55:50 +0800[diff] [blame]30get_prop(vold, gsid_prop);
Inseob Kim3f5a7d22020-04-06 20:49:17 +0900[diff] [blame]31
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]32set_prop(vold, vold_prop)
Inseob Kim3f5a7d22020-04-06 20:49:17 +0900[diff] [blame]33set_prop(vold, vold_status_prop)
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]34set_prop(vold, powerctl_prop)
35set_prop(vold, ctl_fuse_prop)
36set_prop(vold, restorecon_prop)
37set_prop(vold, ota_prop)
38set_prop(vold, boottime_prop)
Inseob Kim42c7d892020-03-04 17:20:35 +0900[diff] [blame]39set_prop(vold, boottime_public_prop)
Janis Danisevskis32d77382020-07-31 22:22:49 -0700[diff] [blame]40
41# Vold will use Keystore instead of using Keymint directly. But it still needs
42# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
43allow vold vold_key:keystore2_key {
Satya Tangirala06533742021-03-08 09:48:42 -0800[diff] [blame]44 convert_storage_key_to_ephemeral
Janis Danisevskis32d77382020-07-31 22:22:49 -0700[diff] [blame]45 delete
46 get_info
Janis Danisevskis32d77382020-07-31 22:22:49 -0700[diff] [blame]47 manage_blob
48 rebind
49 req_forced_op
50 update
51 use
52};
Xin Li11da9e62020-08-29 01:45:24 -0700[diff] [blame]53
Satya Tangiralaa9990042021-03-01 02:53:46 -0800[diff] [blame]54# vold needs to call keystore methods
55allow vold keystore:binder call;
56
Satya Tangirala5ef86862021-03-11 03:57:03 -0800[diff] [blame]57# vold needs to find keystore2 services
Satya Tangiralaa9990042021-03-01 02:53:46 -0800[diff] [blame]58allow vold keystore_service:service_manager find;
Satya Tangirala5ef86862021-03-11 03:57:03 -0800[diff] [blame]59allow vold keystore_maintenance_service:service_manager find;
60
Paul Crowleybf29c3a2021-08-06 15:11:53 -0700[diff] [blame]61# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
Satya Tangirala5ef86862021-03-11 03:57:03 -0800[diff] [blame]62allow vold keystore:keystore2 early_boot_ended;
Paul Crowleybf29c3a2021-08-06 15:11:53 -0700[diff] [blame]63allow vold keystore:keystore2 delete_all_keys;
Satya Tangirala5ef86862021-03-11 03:57:03 -0800[diff] [blame]64
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame]65is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
Ellen Artecaaa898dc2024-05-20 17:59:16 +0000[diff] [blame]66 allow vold storage_area_app_dir:dir search;
67 # Allow vold to get the encryption policy and
68 # verify the ownership of storage areas
69 allow vold storage_area_dir:dir {
70 read
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame]71 open
Ellen Artecaaa898dc2024-05-20 17:59:16 +0000[diff] [blame]72 getattr
73 ioctl
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame]74 };
75')
76
77# when a storage area is created (with `openStorageArea`), vold creates the key
78# and when a storage area is deleted (with `deleteStorageArea`), vold deletes the key
79is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
80 allow vold storage_area_key_file:file create_file_perms;
81 allow vold storage_area_key_file:dir create_dir_perms;
82')
83
Eric Biggers9a599232022-05-04 22:18:02 +0000[diff] [blame]84# Allow vold to create and delete per-user directories like /data/user/$userId.
85allow vold {
86 media_userdir_file
87 system_userdir_file
88 vendor_userdir_file
89}:dir {
90 add_name
91 remove_name
92 write
93};
94
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]95# Read already opened /cache files.
96allow vold cache_file:dir r_dir_perms;
97allow vold cache_file:file { getattr read };
98allow vold cache_file:lnk_file r_file_perms;
99
100r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
101# XXX Label sysfs files with a specific type?
102allow vold {
103 sysfs # writing to /sys/*/uevent during coldboot.
104 sysfs_devices_block
105 sysfs_dm
106 sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
107 sysfs_usb
108 sysfs_zram_uevent
109 sysfs_fs_f2fs
110}:file w_file_perms;
111
112r_dir_file(vold, rootfs)
113r_dir_file(vold, metadata_file)
114allow vold {
115 proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
116 proc_bootconfig
117 proc_cmdline
118 proc_drop_caches
119 proc_filesystems
120 proc_meminfo
121 proc_mounts
122}:file r_file_perms;
123
124#Get file contexts
125allow vold file_contexts_file:file r_file_perms;
126
127# Allow us to jump into execution domains of above tools
128allow vold self:process setexec;
129
130# For formatting adoptable storage devices
131allow vold e2fs_exec:file rx_file_perms;
132
133# Run fstrim on mounted partitions
134# allowxperm still requires the ioctl permission for the individual type
135allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
136
137# Get/set file-based encryption policies on dirs in /data and adoptable storage,
138# and add/remove file-based encryption keys.
139allowxperm vold data_file_type:dir ioctl {
140 FS_IOC_GET_ENCRYPTION_POLICY
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame]141 FS_IOC_GET_ENCRYPTION_POLICY_EX
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]142 FS_IOC_SET_ENCRYPTION_POLICY
143 FS_IOC_ADD_ENCRYPTION_KEY
144 FS_IOC_REMOVE_ENCRYPTION_KEY
145 FS_IOC_GET_ENCRYPTION_KEY_STATUS
146};
147
148# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
149# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
150# location of the file's blocks on the raw block device to erase.
151allowxperm vold {
152 vold_data_file
153 vold_metadata_file
Ellen Arteca27b515e2024-04-30 20:26:55 +0000[diff] [blame]154 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]155}:file ioctl {
156 F2FS_IOC_SEC_TRIM_FILE
157 FS_IOC_FIEMAP
158};
159
160typeattribute vold mlstrustedsubject;
161allow vold self:process setfscreate;
162allow vold system_file:file x_file_perms;
163not_full_treble(`allow vold vendor_file:file x_file_perms;')
164allow vold block_device:dir create_dir_perms;
165allow vold device:dir write;
166allow vold devpts:chr_file rw_file_perms;
167allow vold rootfs:dir mounton;
168allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
169allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
170
171# Manage locations where storage is mounted
172allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
173allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
174
175# Access to storage that backs emulated FUSE daemons for migration optimization
176allow vold media_rw_data_file:dir create_dir_perms;
177allow vold media_rw_data_file:file create_file_perms;
178# Allow mounting (lower filesystem) on parts of media for performance
179allow vold media_rw_data_file:dir mounton;
180
181# Allow setting project quota IDs and enabling project ID inheritance on
182# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
183allowxperm vold media_rw_data_file:{ dir file } ioctl {
184 FS_IOC_FSGETXATTR
185 FS_IOC_FSSETXATTR
186 FS_IOC_GETFLAGS
187 FS_IOC_SETFLAGS
188};
189
190# Allow mounting of storage devices
191allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
192
193# Manage per-user primary symlinks
194allow vold mnt_user_file:dir { create_dir_perms mounton };
195allow vold mnt_user_file:lnk_file create_file_perms;
196allow vold mnt_user_file:file create_file_perms;
197
198# Manage per-user pass_through primary symlinks
199allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
200allow vold mnt_pass_through_file:lnk_file create_file_perms;
201
202# Allow to create and mount expanded storage
203allow vold mnt_expand_file:dir { create_dir_perms mounton };
204allow vold apk_data_file:dir { create getattr setattr };
205allow vold shell_data_file:dir { create getattr setattr };
206allow vold system_userdir_file:dir { create getattr setattr };
207allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
208# Needed to set the casefold flag on /mnt/expand/$volume/media
209allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };
210
211# Allow to mount incremental file system on /data/incremental and create files
212allow vold apk_data_file:dir { mounton rw_dir_perms };
213# Allow to create and write files in /data/incremental
214allow vold apk_data_file:file { rw_file_perms unlink };
215# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
216allow vold apk_tmp_file:dir { mounton r_dir_perms };
217# Allow to read incremental control file and call selinux restorecon on it
218allow vold incremental_control_file:file { r_file_perms relabelto };
219
220allow vold tmpfs:filesystem { mount unmount };
221allow vold tmpfs:dir create_dir_perms;
222allow vold tmpfs:dir mounton;
223allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
224allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
225allow vold loop_control_device:chr_file rw_file_perms;
226allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
227allowxperm vold loop_device:blk_file ioctl {
228 LOOP_CLR_FD
229 LOOP_CTL_GET_FREE
230 LOOP_GET_STATUS64
231 LOOP_SET_FD
232 LOOP_SET_STATUS64
233};
234allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
235allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
236allow vold dm_device:chr_file rw_file_perms;
237allow vold dm_device:blk_file rw_file_perms;
Kelvin Zhang78bb83f2024-07-31 11:07:30 -0700[diff] [blame^]238allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE BLKROSET BLKROGET };
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]239# For vold Process::killProcessesWithOpenFiles function.
240allow vold domain:dir r_dir_perms;
241allow vold domain:{ file lnk_file } r_file_perms;
242allow vold domain:process { signal sigkill };
243allow vold self:global_capability_class_set { sys_ptrace kill };
244
245allow vold kmsg_device:chr_file rw_file_perms;
246
247# Run fsck in the fsck domain.
248allow vold fsck_exec:file { r_file_perms execute };
249
250# Log fsck results
251allow vold fscklogs:dir rw_dir_perms;
252allow vold fscklogs:file create_file_perms;
253
254# Mount and unmount filesystems.
255allow vold labeledfs:filesystem { mount unmount remount };
256
257# Create and mount on /data/tmp_mnt and management of expansion mounts
258#
259# Also rename per-user encrypted directories such as /data/user/10 from their
260# temporary name ("10.new") to their final name ("10").
261allow vold {
262 system_data_file
263 system_data_root_file
264}:dir { create_dir_perms mounton };
265allow vold system_data_file:lnk_file getattr;
266
267# Vold create users in /data/vendor_{ce,de}/[0-9]+
268allow vold vendor_data_file:dir create_dir_perms;
269
270# for secdiscard
271allow vold system_data_file:file read;
272
273# Set scheduling policy of kernel processes
274allow vold kernel:process setsched;
275
276# ASEC
277allow vold asec_image_file:file create_file_perms;
278allow vold asec_image_file:dir rw_dir_perms;
279allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
280allow vold asec_public_file:dir { relabelto setattr };
281allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
282allow vold asec_public_file:file { relabelto setattr };
283# restorecon files in asec containers created on 4.2 or earlier.
284allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
285allow vold unlabeled:file { r_file_perms setattr relabelfrom };
286
287# Access to FUSE control filesystem to hard-abort FUSE mounts
288allow vold fusectlfs:file rw_file_perms;
289allow vold fusectlfs:dir rw_dir_perms;
290
291# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
292wakelock_use(vold)
293
294# Allow vold to publish a binder service and make binder calls.
295binder_use(vold)
296add_service(vold, vold_service)
297
298# Allow vold to call into the system server so it can check permissions.
299binder_call(vold, system_server)
300allow vold permission_service:service_manager find;
301
302# talk to health storage HAL
303hal_client_domain(vold, hal_health_storage)
304
305# talk to bootloader HAL
306full_treble_only(`hal_client_domain(vold, hal_bootctl)')
307
308# Access userdata block device.
309allow vold userdata_block_device:blk_file rw_file_perms;
310allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
311
312# Access zoned block device.
313allow vold zoned_block_device:blk_file rw_file_perms;
314
315# Access metadata block device used for encryption meta-data.
316allow vold metadata_block_device:blk_file rw_file_perms;
317allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
318
319# Allow vold to manipulate /data/unencrypted
320allow vold unencrypted_data_file:{ file } create_file_perms;
321allow vold unencrypted_data_file:dir create_dir_perms;
322
323# Write to /proc/sys/vm/drop_caches
324allow vold proc_drop_caches:file w_file_perms;
325
326# Give vold a place where only vold can store files; everyone else is off limits
327allow vold vold_data_file:dir create_dir_perms;
328allow vold vold_data_file:file create_file_perms;
329
330# And a similar place in the metadata partition
331allow vold vold_metadata_file:dir create_dir_perms;
332allow vold vold_metadata_file:file create_file_perms;
333
334# linux keyring configuration
335allow vold init:key { write search setattr };
336allow vold vold:key { write search setattr };
337
338# vold temporarily changes its priority when running benchmarks
339allow vold self:global_capability_class_set sys_nice;
340
341# vold needs to chroot into app namespaces to remount when runtime permissions change
342allow vold self:global_capability_class_set sys_chroot;
343allow vold storage_file:dir mounton;
344
345# For AppFuse.
346allow vold fuse_device:chr_file rw_file_perms;
347allow vold fuse:filesystem { relabelfrom };
348allow vold app_fusefs:filesystem { relabelfrom relabelto };
349allow vold app_fusefs:filesystem { mount unmount };
350allow vold app_fuse_file:dir rw_dir_perms;
351allow vold app_fuse_file:file { read write open getattr append };
352
353# MoveStorage.cpp executes cp and rm
354allow vold toolbox_exec:file rx_file_perms;
355
356# Prepare profile dir for users.
357allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
358
359# Raw writes to misc block device
360allow vold misc_block_device:blk_file w_file_perms;
361
362# vold might need to search or mount /mnt/vendor/*
363allow vold mnt_vendor_file:dir search;
364
365dontaudit vold self:global_capability_class_set sys_resource;
366
367# Allow ReadDefaultFstab().
368read_fstab(vold)
369
370# vold might need to search loopback apex files
371allow vold vendor_apex_file:file r_file_perms;
372
373###
374### Neverallow rules
375###
376
377neverallow {
378 domain
379 -system_server
380 -vdc
381 -vold
382 -update_verifier
383 -apexd
384 -gsid
385} vold_service:service_manager find;
386
Eric Biggers9a599232022-05-04 22:18:02 +0000[diff] [blame]387# Only vold should create (and delete) per-user directories like
388# /data/user/$userId. This is very important, as these directories need to be
389# encrypted with per-user keys, which only vold can do. Encryption can only be
390# set up on empty directories, so creation and encryption must happen together.
Eric Biggers9a599232022-05-04 22:18:02 +0000[diff] [blame]391neverallow {
392 domain
393 -vold
394} {
Eric Biggers9a599232022-05-04 22:18:02 +0000[diff] [blame]395 media_userdir_file
Eric Biggers17369be2022-05-11 05:33:07 +0000[diff] [blame]396 system_userdir_file
397 vendor_userdir_file
Eric Biggers9a599232022-05-04 22:18:02 +0000[diff] [blame]398}:dir {
399 add_name
400 remove_name
401 write
402};
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]403
404# Only vold and init should ever set file-based encryption policies.
405neverallowxperm {
406 domain
407 -vold
408 -init
409 -vendor_init
Ellen Artecaaa898dc2024-05-20 17:59:16 +0000[diff] [blame]410 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` -vold_prepare_subdirs ')
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]411} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
412
413# Only vold should ever add/remove file-based encryption keys.
414neverallowxperm {
415 domain
416 -vold
417} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };
418
419neverallow {
420 domain
421 -vold
422 -vold_prepare_subdirs
423} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
424
425neverallow {
426 domain
427 -init
428 -vold
429 -vold_prepare_subdirs
430} vold_data_file:dir *;
431
432neverallow {
433 domain
434 -init
435 -vold
436} vold_metadata_file:dir *;
437
438neverallow {
439 domain
440 -kernel
441 -vold
442 -vold_prepare_subdirs
443} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
444
445neverallow {
446 domain
447 -init
448 -vold
449 -vold_prepare_subdirs
450} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
451
452neverallow {
453 domain
454 -init
455 -kernel
456 -vold
457 -vold_prepare_subdirs
458} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
459
460neverallow { domain -vold -init } restorecon_prop:property_service set;
461
462neverallow vold {
463 domain
464 -hal_health_storage_server
465 -hal_keymaster_server
466 -system_suspend_server
467 -hal_bootctl_server
468 -hwservicemanager
469 -keystore
470 -servicemanager
471 -system_server
472 userdebug_or_eng(`-su')
473}:binder call;
474
475neverallow vold fsck_exec:file execute_no_trans;
476neverallow { domain -init } vold:process { transition dyntransition };
477neverallow vold *:process ptrace;
478neverallow vold *:rawip_socket *;