diff options
Diffstat (limited to 'vold.te')
| -rw-r--r-- | vold.te | 88 |
1 files changed, 77 insertions, 11 deletions
@@ -4,17 +4,63 @@ type vold_exec, exec_type, file_type; init_daemon_domain(vold) +# Switch to more restrictive domains when executing common tools +domain_auto_trans(vold, sgdisk_exec, sgdisk); +domain_auto_trans(vold, sdcardd_exec, sdcardd); + +# For a handful of probing tools, we choose an even more restrictive +# domain when working with untrusted block devices +domain_trans(vold, shell_exec, blkid); +domain_trans(vold, shell_exec, blkid_untrusted); +domain_trans(vold, fsck_exec, fsck); +domain_trans(vold, fsck_exec, fsck_untrusted); + +# Allow us to jump into execution domains of above tools +allow vold self:process setexec; + +# For sgdisk launched through popen() +allow vold shell_exec:file rx_file_perms; + typeattribute vold mlstrustedsubject; +allow vold self:process setfscreate; allow vold system_file:file x_file_perms; allow vold block_device:dir create_dir_perms; allow vold block_device:blk_file create_file_perms; +auditallow vold block_device:blk_file create_file_perms; allow vold device:dir write; allow vold devpts:chr_file rw_file_perms; allow vold rootfs:dir mounton; -allow vold sdcard_type:dir mounton; -allow vold sdcard_type:filesystem { mount remount unmount }; -allow vold sdcard_type:dir create_dir_perms; -allow vold sdcard_type:file create_file_perms; +allow vold sdcard_type:dir mounton; # TODO: deprecated in M +allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M +allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M +allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M + +# Manage locations where storage is mounted +allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms; +allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms; + +# Access to storage that backs emulated FUSE daemons for migration optimization +allow vold media_rw_data_file:dir create_dir_perms; +allow vold media_rw_data_file:file create_file_perms; + +# Newly created storage dirs are always treated as mount stubs to prevent us +# from accidentally writing when the mount point isn't present. +type_transition vold storage_file:dir storage_stub_file; +type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file; + +# Allow mounting of storage devices +allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr }; +allow vold sdcard_type:filesystem { mount unmount remount }; + +# Manage per-user primary symlinks +allow vold mnt_user_file:dir create_dir_perms; +allow vold mnt_user_file:lnk_file create_file_perms; + +# Allow to create and mount expanded storage +allow vold mnt_expand_file:dir { create_dir_perms mounton }; +allow vold apk_data_file:dir { create getattr setattr }; +allow vold shell_data_file:dir { create getattr setattr }; + allow vold tmpfs:filesystem { mount unmount }; allow vold tmpfs:dir create_dir_perms; allow vold tmpfs:dir mounton; @@ -22,22 +68,24 @@ allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner allow vold self:netlink_kobject_uevent_socket create_socket_perms; allow vold app_data_file:dir search; allow vold app_data_file:file rw_file_perms; -allow vold loop_device:blk_file rw_file_perms; +allow vold loop_device:blk_file create_file_perms; +allow vold vold_device:blk_file create_file_perms; allow vold dm_device:chr_file rw_file_perms; +allow vold dm_device:blk_file rw_file_perms; # For vold Process::killProcessesWithOpenFiles function. allow vold domain:dir r_dir_perms; allow vold domain:{ file lnk_file } r_file_perms; allow vold domain:process { signal sigkill }; allow vold self:capability { sys_ptrace kill }; -# For blkid -allow vold shell_exec:file rx_file_perms; - # XXX Label sysfs files with a specific type? allow vold sysfs:file rw_file_perms; write_klog(vold) +# Run fsck. +allow vold fsck_exec:file rx_file_perms; + # Log fsck results allow vold fscklogs:dir rw_dir_perms; allow vold fscklogs:file create_file_perms; @@ -56,8 +104,8 @@ allow vold labeledfs:filesystem { mount unmount remount }; # XXX Split into a separate type? allow vold efs_file:file rw_file_perms; -# Create and mount on /data/tmp_mnt. -allow vold system_data_file:dir { create rw_dir_perms mounton }; +# Create and mount on /data/tmp_mnt and management of expansion mounts +allow vold system_data_file:dir { create rw_dir_perms mounton setattr rmdir }; # Set scheduling policy of kernel processes allow vold kernel:process setsched; @@ -71,7 +119,7 @@ allow vold ctl_fuse_prop:property_service set; allow vold asec_image_file:file create_file_perms; allow vold asec_image_file:dir rw_dir_perms; security_access_policy(vold) -allow vold asec_apk_file:dir { rw_dir_perms setattr relabelfrom relabelto }; +allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto }; allow vold asec_public_file:dir { relabelto setattr }; allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto }; allow vold asec_public_file:file { relabelto setattr }; @@ -89,3 +137,21 @@ binder_call(vold, healthd) # talk to keymaster allow vold tee_device:chr_file rw_file_perms; +# Access userdata block device. +allow vold userdata_block_device:blk_file rw_file_perms; + +# Access metadata block device used for encryption meta-data. +allow vold metadata_block_device:blk_file rw_file_perms; + +# Allow init to manipulate /data/unencrypted +allow vold unencrypted_data_file:{ file lnk_file } create_file_perms; +allow vold unencrypted_data_file:dir create_dir_perms; + +# Give vold a place where only vold can store files; everyone else is off limits +allow vold vold_data_file:dir rw_dir_perms; +allow vold vold_data_file:file create_file_perms; + +neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto }; +neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr }; +neverallow { domain -vold -init } vold_data_file:dir *; +neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *; |