• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1typeattribute vold coredomain;
2
3init_daemon_domain(vold)
4
5# Switch to more restrictive domains when executing common tools
6domain_auto_trans(vold, sgdisk_exec, sgdisk);
7domain_auto_trans(vold, sdcardd_exec, sdcardd);
8domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
9
10# Switch to e2fs domain when running mkfs.ext4 to format a partition
11domain_auto_trans(vold, e2fs_exec, e2fs);
12
13
14# For a handful of probing tools, we choose an even more restrictive
15# domain when working with untrusted block devices
16domain_trans(vold, blkid_exec, blkid);
17domain_trans(vold, blkid_exec, blkid_untrusted);
18domain_trans(vold, fsck_exec, fsck);
19domain_trans(vold, fsck_exec, fsck_untrusted);
20
21# Newly created storage dirs are always treated as mount stubs to prevent us
22# from accidentally writing when the mount point isn't present.
23type_transition vold storage_file:dir storage_stub_file;
24type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
25
26# Property Service
27get_prop(vold, vold_config_prop)
28get_prop(vold, storage_config_prop);
29get_prop(vold, incremental_prop);
30get_prop(vold, gsid_prop);
31
32set_prop(vold, vold_prop)
33set_prop(vold, vold_status_prop)
34set_prop(vold, powerctl_prop)
35set_prop(vold, ctl_fuse_prop)
36set_prop(vold, restorecon_prop)
37set_prop(vold, ota_prop)
38set_prop(vold, boottime_prop)
39set_prop(vold, boottime_public_prop)
40
41# Vold will use Keystore instead of using Keymint directly. But it still needs
42# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
43allow vold vold_key:keystore2_key {
44    convert_storage_key_to_ephemeral
45    delete
46    get_info
47    manage_blob
48    rebind
49    req_forced_op
50    update
51    use
52};
53
54# vold needs to call keystore methods
55allow vold keystore:binder call;
56
57# vold needs to find keystore2 services
58allow vold keystore_service:service_manager find;
59allow vold keystore_maintenance_service:service_manager find;
60
61# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
62allow vold keystore:keystore2 early_boot_ended;
63allow vold keystore:keystore2 delete_all_keys;
64
65is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
66    allow vold storage_area_app_dir:dir search;
67    # Allow vold to get the encryption policy and
68    # verify the ownership of storage areas
69    allow vold storage_area_dir:dir {
70        read
71        open
72        getattr
73        ioctl
74    };
75')
76
77# when a storage area is created (with `openStorageArea`), vold creates the key
78# and when a storage area is deleted (with `deleteStorageArea`), vold deletes the key
79is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
80  allow vold storage_area_key_file:file create_file_perms;
81  allow vold storage_area_key_file:dir create_dir_perms;
82')
83
84# Allow vold to create and delete per-user directories like /data/user/$userId.
85allow vold {
86    media_userdir_file
87    system_userdir_file
88    vendor_userdir_file
89}:dir {
90    add_name
91    remove_name
92    write
93};
94
95# Read already opened /cache files.
96allow vold cache_file:dir r_dir_perms;
97allow vold cache_file:file { getattr read };
98allow vold cache_file:lnk_file r_file_perms;
99
100r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
101# XXX Label sysfs files with a specific type?
102allow vold {
103  sysfs # writing to /sys/*/uevent during coldboot.
104  sysfs_devices_block
105  sysfs_dm
106  sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
107  sysfs_usb
108  sysfs_zram_uevent
109  sysfs_fs_f2fs
110}:file w_file_perms;
111
112r_dir_file(vold, rootfs)
113r_dir_file(vold, metadata_file)
114allow vold {
115  proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
116  proc_bootconfig
117  proc_cmdline
118  proc_drop_caches
119  proc_filesystems
120  proc_meminfo
121  proc_mounts
122}:file r_file_perms;
123
124#Get file contexts
125allow vold file_contexts_file:file r_file_perms;
126
127# Allow us to jump into execution domains of above tools
128allow vold self:process setexec;
129
130# For formatting adoptable storage devices
131allow vold e2fs_exec:file rx_file_perms;
132
133# Run fstrim on mounted partitions
134# allowxperm still requires the ioctl permission for the individual type
135allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
136
137# Get/set file-based encryption policies on dirs in /data and adoptable storage,
138# and add/remove file-based encryption keys.
139allowxperm vold data_file_type:dir ioctl {
140  FS_IOC_GET_ENCRYPTION_POLICY
141  FS_IOC_GET_ENCRYPTION_POLICY_EX
142  FS_IOC_SET_ENCRYPTION_POLICY
143  FS_IOC_ADD_ENCRYPTION_KEY
144  FS_IOC_REMOVE_ENCRYPTION_KEY
145  FS_IOC_GET_ENCRYPTION_KEY_STATUS
146};
147
148# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
149# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
150# location of the file's blocks on the raw block device to erase.
151allowxperm vold {
152  vold_data_file
153  vold_metadata_file
154  is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
155}:file ioctl {
156  F2FS_IOC_SEC_TRIM_FILE
157  FS_IOC_FIEMAP
158};
159
160typeattribute vold mlstrustedsubject;
161allow vold self:process setfscreate;
162allow vold system_file:file x_file_perms;
163not_full_treble(`allow vold vendor_file:file x_file_perms;')
164allow vold block_device:dir create_dir_perms;
165allow vold device:dir write;
166allow vold devpts:chr_file rw_file_perms;
167allow vold rootfs:dir mounton;
168allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
169allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
170
171# Manage locations where storage is mounted
172allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
173allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
174
175# Access to storage that backs emulated FUSE daemons for migration optimization
176allow vold media_rw_data_file:dir create_dir_perms;
177allow vold media_rw_data_file:file create_file_perms;
178# Allow mounting (lower filesystem) on parts of media for performance
179allow vold media_rw_data_file:dir mounton;
180
181# Allow setting project quota IDs and enabling project ID inheritance on
182# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
183allowxperm vold media_rw_data_file:{ dir file } ioctl {
184  FS_IOC_FSGETXATTR
185  FS_IOC_FSSETXATTR
186  FS_IOC_GETFLAGS
187  FS_IOC_SETFLAGS
188};
189
190# Allow mounting of storage devices
191allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
192
193# Manage per-user primary symlinks
194allow vold mnt_user_file:dir { create_dir_perms mounton };
195allow vold mnt_user_file:lnk_file create_file_perms;
196allow vold mnt_user_file:file create_file_perms;
197
198# Manage per-user pass_through primary symlinks
199allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
200allow vold mnt_pass_through_file:lnk_file create_file_perms;
201
202# Allow to create and mount expanded storage
203allow vold mnt_expand_file:dir { create_dir_perms mounton };
204allow vold apk_data_file:dir { create getattr setattr };
205allow vold shell_data_file:dir { create getattr setattr };
206allow vold system_userdir_file:dir { create getattr setattr };
207allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
208# Needed to set the casefold flag on /mnt/expand/$volume/media
209allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };
210
211# Allow to mount incremental file system on /data/incremental and create files
212allow vold apk_data_file:dir { mounton rw_dir_perms };
213# Allow to create and write files in /data/incremental
214allow vold apk_data_file:file { rw_file_perms unlink };
215# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
216allow vold apk_tmp_file:dir { mounton r_dir_perms };
217# Allow to read incremental control file and call selinux restorecon on it
218allow vold incremental_control_file:file { r_file_perms relabelto };
219
220allow vold tmpfs:filesystem { mount unmount };
221allow vold tmpfs:dir create_dir_perms;
222allow vold tmpfs:dir mounton;
223allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
224allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
225allow vold loop_control_device:chr_file rw_file_perms;
226allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
227allowxperm vold loop_device:blk_file ioctl {
228  LOOP_CLR_FD
229  LOOP_CTL_GET_FREE
230  LOOP_GET_STATUS64
231  LOOP_SET_FD
232  LOOP_SET_STATUS64
233};
234allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
235allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
236allow vold dm_device:chr_file rw_file_perms;
237allow vold dm_device:blk_file rw_file_perms;
238allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE BLKROSET BLKROGET };
239# For vold Process::killProcessesWithOpenFiles function.
240allow vold domain:dir r_dir_perms;
241allow vold domain:{ file lnk_file } r_file_perms;
242allow vold domain:process { signal sigkill };
243allow vold self:global_capability_class_set { sys_ptrace kill };
244
245allow vold kmsg_device:chr_file rw_file_perms;
246
247# Run fsck in the fsck domain.
248allow vold fsck_exec:file { r_file_perms execute };
249
250# Log fsck results
251allow vold fscklogs:dir rw_dir_perms;
252allow vold fscklogs:file create_file_perms;
253
254# Mount and unmount filesystems.
255allow vold labeledfs:filesystem { mount unmount remount };
256
257# Create and mount on /data/tmp_mnt and management of expansion mounts
258#
259# Also rename per-user encrypted directories such as /data/user/10 from their
260# temporary name ("10.new") to their final name ("10").
261allow vold {
262    system_data_file
263    system_data_root_file
264}:dir { create_dir_perms mounton };
265allow vold system_data_file:lnk_file getattr;
266
267# Vold create users in /data/vendor_{ce,de}/[0-9]+
268allow vold vendor_data_file:dir create_dir_perms;
269
270# for secdiscard
271allow vold system_data_file:file read;
272
273# Set scheduling policy of kernel processes
274allow vold kernel:process setsched;
275
276# ASEC
277allow vold asec_image_file:file create_file_perms;
278allow vold asec_image_file:dir rw_dir_perms;
279allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
280allow vold asec_public_file:dir { relabelto setattr };
281allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
282allow vold asec_public_file:file { relabelto setattr };
283# restorecon files in asec containers created on 4.2 or earlier.
284allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
285allow vold unlabeled:file { r_file_perms setattr relabelfrom };
286
287# Access to FUSE control filesystem to hard-abort FUSE mounts
288allow vold fusectlfs:file rw_file_perms;
289allow vold fusectlfs:dir rw_dir_perms;
290
291# Allow vold to use wake locks.  Needed for idle maintenance and moving storage.
292wakelock_use(vold)
293
294# Allow vold to make binder calls and publish binder services.
295binder_use(vold)
296add_service(vold, vold_service)
297add_service(vold, fwk_vold_service)
298
299# Allow vold to call into the system server so it can check permissions.
300binder_call(vold, system_server)
301allow vold permission_service:service_manager find;
302
303# talk to health storage HAL
304hal_client_domain(vold, hal_health_storage)
305
306# talk to bootloader HAL
307full_treble_only(`hal_client_domain(vold, hal_bootctl)')
308
309# Access userdata block device.
310allow vold userdata_block_device:blk_file rw_file_perms;
311allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
312
313# Access zoned block device.
314allow vold zoned_block_device:blk_file rw_file_perms;
315
316# Access metadata block device used for encryption meta-data.
317allow vold metadata_block_device:blk_file rw_file_perms;
318allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;
319
320# Allow vold to manipulate /data/unencrypted
321allow vold unencrypted_data_file:{ file } create_file_perms;
322allow vold unencrypted_data_file:dir create_dir_perms;
323
324# Write to /proc/sys/vm/drop_caches
325allow vold proc_drop_caches:file w_file_perms;
326
327# Give vold a place where only vold can store files; everyone else is off limits
328allow vold vold_data_file:dir create_dir_perms;
329allow vold vold_data_file:file create_file_perms;
330
331# And a similar place in the metadata partition
332allow vold vold_metadata_file:dir create_dir_perms;
333allow vold vold_metadata_file:file create_file_perms;
334
335# linux keyring configuration
336allow vold init:key { write search setattr };
337allow vold vold:key { write search setattr };
338
339# vold temporarily changes its priority when running benchmarks
340allow vold self:global_capability_class_set sys_nice;
341
342# vold needs to chroot into app namespaces to remount when runtime permissions change
343allow vold self:global_capability_class_set sys_chroot;
344allow vold storage_file:dir mounton;
345
346# For AppFuse.
347allow vold fuse_device:chr_file rw_file_perms;
348allow vold fuse:filesystem { relabelfrom };
349allow vold app_fusefs:filesystem { relabelfrom relabelto };
350allow vold app_fusefs:filesystem { mount unmount };
351allow vold app_fuse_file:dir rw_dir_perms;
352allow vold app_fuse_file:file { read write open getattr append };
353
354# MoveStorage.cpp executes cp and rm
355allow vold toolbox_exec:file rx_file_perms;
356
357# Prepare profile dir for users.
358allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;
359
360# Raw writes to misc block device
361allow vold misc_block_device:blk_file w_file_perms;
362
363# vold might need to search or mount /mnt/vendor/*
364allow vold mnt_vendor_file:dir search;
365
366dontaudit vold self:global_capability_class_set sys_resource;
367
368dontaudit vold self:capability sys_rawio;
369
370# Allow ReadDefaultFstab().
371read_fstab(vold)
372
373# vold might need to search loopback apex files
374allow vold vendor_apex_file:file r_file_perms;
375
376###
377### Neverallow rules
378###
379
380neverallow {
381    domain
382    -system_server
383    -vdc
384    -vold
385    -update_verifier
386    -apexd
387    -gsid
388} vold_service:service_manager find;
389
390# Only vold should create (and delete) per-user directories like
391# /data/user/$userId.  This is very important, as these directories need to be
392# encrypted with per-user keys, which only vold can do.  Encryption can only be
393# set up on empty directories, so creation and encryption must happen together.
394neverallow {
395    domain
396    -vold
397} {
398    media_userdir_file
399    system_userdir_file
400    vendor_userdir_file
401}:dir {
402    add_name
403    remove_name
404    write
405};
406
407# Only vold and init should ever set file-based encryption policies.
408neverallowxperm {
409  domain
410  -vold
411  -init
412  -vendor_init
413  is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` -vold_prepare_subdirs ')
414} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };
415
416# Only vold should ever add/remove file-based encryption keys.
417neverallowxperm {
418  domain
419  -vold
420} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };
421
422neverallow {
423    domain
424    -vold
425    -vold_prepare_subdirs
426} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };
427
428neverallow {
429    domain
430    -init
431    -vold
432    -vold_prepare_subdirs
433} vold_data_file:dir *;
434
435neverallow {
436    domain
437    -init
438    -vold
439} vold_metadata_file:dir *;
440
441neverallow {
442    domain
443    -kernel
444    -vold
445    -vold_prepare_subdirs
446} vold_data_file:notdevfile_class_set ~{ relabelto getattr };
447
448neverallow {
449    domain
450    -init
451    -vold
452    -vold_prepare_subdirs
453} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };
454
455neverallow {
456    domain
457    -init
458    -kernel
459    -vold
460    -vold_prepare_subdirs
461} { vold_data_file vold_metadata_file }:notdevfile_class_set *;
462
463neverallow { domain -vold -init } restorecon_prop:property_service set;
464
465neverallow vold {
466  domain
467  -hal_health_storage_server
468  -hal_keymaster_server
469  -system_suspend_server
470  -hal_bootctl_server
471  -hwservicemanager
472  -keystore
473  -servicemanager
474  -system_server
475  userdebug_or_eng(`-su')
476}:binder call;
477
478neverallow vold fsck_exec:file execute_no_trans;
479neverallow { domain -init } vold:process { transition dyntransition };
480neverallow vold *:process ptrace;
481neverallow vold *:rawip_socket *;
482