Blame - private/vold.te - android_system_sepolicy

blob: de0fde48a34f3271d3ad1dd8106346a7ae8421b7 [file] [log] [blame]

Alex Klyubin	f5446eb	2017-03-23 14:27:32 -0700	[diff] [blame]	1	typeattribute vold coredomain;
				2
dcashman	cc39f63	2016-07-22 13:13:11 -0700	[diff] [blame]	3	init_daemon_domain(vold)
				4
				5	# Switch to more restrictive domains when executing common tools
				6	domain_auto_trans(vold, sgdisk_exec, sgdisk);
				7	domain_auto_trans(vold, sdcardd_exec, sdcardd);
				8
				9	# For a handful of probing tools, we choose an even more restrictive
				10	# domain when working with untrusted block devices
Paul Crowley	f9f7539	2018-11-30 15:58:26 -0800	[diff] [blame]	11	domain_trans(vold, blkid_exec, blkid);
				12	domain_trans(vold, blkid_exec, blkid_untrusted);
dcashman	cc39f63	2016-07-22 13:13:11 -0700	[diff] [blame]	13	domain_trans(vold, fsck_exec, fsck);
				14	domain_trans(vold, fsck_exec, fsck_untrusted);
				15
				16	# Newly created storage dirs are always treated as mount stubs to prevent us
				17	# from accidentally writing when the mount point isn't present.
				18	type_transition vold storage_file:dir storage_stub_file;
				19	type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
Inseob Kim	55e5c9b	2020-03-04 17:20:35 +0900	[diff] [blame]	20
				21	# Property Service
Inseob Kim	3f5a7d2	2020-04-06 20:49:17 +0900	[diff] [blame]	22	get_prop(vold, vold_config_prop)
Martijn Coenen	01234d3	2020-04-10 14:11:49 +0200	[diff] [blame]	23	get_prop(vold, storage_config_prop);
Songchun Fan	9fdcbcd	2020-04-28 13:24:54 -0700	[diff] [blame]	24	get_prop(vold, incremental_prop);
Inseob Kim	3f5a7d2	2020-04-06 20:49:17 +0900	[diff] [blame]	25
Eric Biggers	040ce19	2021-04-22 16:09:56 -0700	[diff] [blame]	26	set_prop(vold, vold_post_fs_data_prop)
Inseob Kim	55e5c9b	2020-03-04 17:20:35 +0900	[diff] [blame]	27	set_prop(vold, vold_prop)
Inseob Kim	3f5a7d2	2020-04-06 20:49:17 +0900	[diff] [blame]	28	set_prop(vold, vold_status_prop)
Inseob Kim	55e5c9b	2020-03-04 17:20:35 +0900	[diff] [blame]	29	set_prop(vold, powerctl_prop)
				30	set_prop(vold, ctl_fuse_prop)
				31	set_prop(vold, restorecon_prop)
				32	set_prop(vold, ota_prop)
				33	set_prop(vold, boottime_prop)
Inseob Kim	42c7d89	2020-03-04 17:20:35 +0900	[diff] [blame]	34	set_prop(vold, boottime_public_prop)
Janis Danisevskis	32d7738	2020-07-31 22:22:49 -0700	[diff] [blame]	35
				36	# Vold will use Keystore instead of using Keymint directly. But it still needs
				37	# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
				38	allow vold vold_key:keystore2_key {
Satya Tangirala	0653374	2021-03-08 09:48:42 -0800	[diff] [blame]	39	convert_storage_key_to_ephemeral
Janis Danisevskis	32d7738	2020-07-31 22:22:49 -0700	[diff] [blame]	40	delete
				41	get_info
Janis Danisevskis	32d7738	2020-07-31 22:22:49 -0700	[diff] [blame]	42	manage_blob
				43	rebind
				44	req_forced_op
				45	update
				46	use
				47	};
Xin Li	11da9e6	2020-08-29 01:45:24 -0700	[diff] [blame]	48
Satya Tangirala	a999004	2021-03-01 02:53:46 -0800	[diff] [blame]	49	# vold needs to call keystore methods
				50	allow vold keystore:binder call;
				51
Satya Tangirala	5ef8686	2021-03-11 03:57:03 -0800	[diff] [blame]	52	# vold needs to find keystore2 services
Satya Tangirala	a999004	2021-03-01 02:53:46 -0800	[diff] [blame]	53	allow vold keystore_service:service_manager find;
Satya Tangirala	5ef8686	2021-03-11 03:57:03 -0800	[diff] [blame]	54	allow vold keystore_maintenance_service:service_manager find;
				55
Paul Crowley	bf29c3a	2021-08-06 15:11:53 -0700	[diff] [blame^]	56	# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
Satya Tangirala	5ef8686	2021-03-11 03:57:03 -0800	[diff] [blame]	57	allow vold keystore:keystore2 early_boot_ended;
Paul Crowley	bf29c3a	2021-08-06 15:11:53 -0700	[diff] [blame^]	58	allow vold keystore:keystore2 delete_all_keys;
Satya Tangirala	5ef8686	2021-03-11 03:57:03 -0800	[diff] [blame]	59
Yo Chiang	ffe786e	2020-10-07 13:59:52 +0800	[diff] [blame]	60	neverallow {
				61	domain
				62	-system_server
				63	-vdc
				64	-vold
				65	-update_verifier
				66	-apexd
				67	-gsid
				68	} vold_service:service_manager find;