• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# volume manager
2type vold, domain;
3type vold_exec, exec_type, file_type;
4
5init_daemon_domain(vold)
6
7typeattribute vold mlstrustedsubject;
8allow vold system_file:file x_file_perms;
9allow vold block_device:dir create_dir_perms;
10allow vold block_device:blk_file create_file_perms;
11allow vold device:dir write;
12allow vold devpts:chr_file rw_file_perms;
13allow vold rootfs:dir mounton;
14allow vold sdcard_type:dir mounton;
15allow vold sdcard_type:filesystem { mount remount unmount };
16allow vold sdcard_type:dir create_dir_perms;
17allow vold sdcard_type:file create_file_perms;
18allow vold tmpfs:filesystem { mount unmount };
19allow vold tmpfs:dir create_dir_perms;
20allow vold tmpfs:dir mounton;
21allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
22allow vold self:netlink_kobject_uevent_socket *;
23allow vold app_data_file:dir search;
24allow vold app_data_file:file rw_file_perms;
25allow vold loop_device:blk_file rw_file_perms;
26allow vold dm_device:chr_file rw_file_perms;
27# For vold Process::killProcessesWithOpenFiles function.
28allow vold domain:dir r_dir_perms;
29allow vold domain:{ file lnk_file } r_file_perms;
30allow vold domain:process { signal sigkill };
31allow vold self:capability { sys_ptrace kill };
32
33# For blkid
34allow vold shell_exec:file rx_file_perms;
35
36# XXX Label sysfs files with a specific type?
37allow vold sysfs:file rw_file_perms;
38
39write_klog(vold)
40
41#
42# Rules to support encrypted fs support.
43#
44
45# Set property.
46unix_socket_connect(vold, property, init)
47
48# Unmount and mount the fs.
49allow vold labeledfs:filesystem { mount unmount remount };
50
51# Access /efs/userdata_footer.
52# XXX Split into a separate type?
53allow vold efs_file:file rw_file_perms;
54
55# Create and mount on /data/tmp_mnt.
56allow vold system_data_file:dir { create rw_dir_perms mounton };
57allow vold system_data_file:file create_file_perms;
58
59# Set scheduling policy of kernel processes
60allow vold kernel:process setsched;
61
62# Property Service
63allow vold vold_prop:property_service set;
64allow vold powerctl_prop:property_service set;
65allow vold ctl_default_prop:property_service set;
66
67# ASEC
68allow vold asec_image_file:file create_file_perms;
69allow vold asec_image_file:dir rw_dir_perms;
70security_access_policy(vold)
71allow vold asec_apk_file:dir { rw_dir_perms setattr };
72allow vold asec_apk_file:file { r_file_perms setattr };
73