blob: 1de325152362571a8c85970d61290a4ac7ee6996
1 | type droidvold, domain; |
2 | type droidvold_exec, exec_type, vendor_file_type, file_type; |
3 | |
4 | init_daemon_domain(droidvold) |
5 | |
6 | # Read access to pseudo filesystems. |
7 | r_dir_file(droidvold, proc) |
8 | r_dir_file(droidvold, sysfs_type) |
9 | |
10 | |
11 | allow droidvold proc_meminfo:file r_file_perms; |
12 | allow droidvold self:capability { setgid setuid }; |
13 | |
14 | allow droidvold cpuctl_device:dir search; |
15 | |
16 | allow droidvold device:dir { open read }; |
17 | allow droidvold usb_device:dir { open read search }; |
18 | allow droidvold system_data_file:fifo_file { open read write }; |
19 | |
20 | allow droidvold block_device:dir { create read write search add_name }; |
21 | |
22 | allow droidvold fuseblk:filesystem { mount unmount }; |
23 | |
24 | allow droidvold self:capability { net_admin dac_override sys_admin chown fowner fsetid }; |
25 | |
26 | allow droidvold tmpfs:dir create_dir_perms; |
27 | allow droidvold tmpfs:dir mounton; |
28 | |
29 | allow droidvold kernel:system module_request; |
30 | allow droidvold mnt_media_rw_file:dir { r_dir_perms }; |
31 | allow droidvold mnt_media_rw_stub_file:dir { r_dir_perms mounton }; |
32 | |
33 | allow droidvold droidvold:netlink_kobject_uevent_socket { create setopt bind read getopt }; |
34 | |
35 | allow droidvold rootfs:dir mounton; |
36 | allow droidvold rootfs:file { read open getattr }; |
37 | |
38 | allow droidvold { sysfs sysfs_zram sysfs_zram_uevent }:dir { open read search }; |
39 | allow droidvold { sysfs sysfs_zram sysfs_zram_uevent }:file { write open read }; |
40 | |
41 | allow droidvold file_contexts_file:file r_file_perms; |
42 | |
43 | allow proc_net proc:filesystem { associate }; |
44 | |
45 | allow droidvold self:process { setexec setfscreate }; |
46 | allow droidvold sysfs:file { getattr }; |
47 | # For sgdisk launched through popen() |
48 | # allow droidvold shell_exec:file rx_file_perms; |
49 | |
50 | allow droidvold hwservicemanager_prop:file { open read getattr }; |
51 | |
52 | allow droidvold hwservicemanager:binder { call transfer }; |
53 | allow droidvold { droidvold_hwservice hidl_base_hwservice }:hwservice_manager { add }; |
54 | |
55 | allow droidvold system_app:binder { call transfer }; |
56 | |
57 | allow droidvold mnt_media_rw_file:dir { create_dir_perms mounton }; |
58 | allow droidvold mnt_media_rw_file:file create_file_perms; |
59 | |
60 | allow droidvold ntfs:filesystem { mount unmount}; |
61 | allow droidvold exfat:filesystem { mount unmount}; |
62 | allow droidvold vfat:filesystem { mount unmount}; |
63 | allow droidvold { vfat exfat ntfs }:dir rw_dir_perms; |
64 | |
65 | allow droidvold iso9660:filesystem { mount unmount}; |
66 | allow droidvold hfsplus:filesystem { mount unmount}; |
67 | |
68 | # For vold Process::killProcessesWithOpenFiles function. |
69 | allow droidvold domain:dir r_dir_perms; |
70 | allow droidvold domain:{ file lnk_file } r_file_perms; |
71 | allow droidvold domain:process { signal sigkill }; |
72 | allow droidvold self:capability { kill }; |
73 | |
74 | allow droidvold platform_app:file r_file_perms; |
75 | allow droidvold platform_app:dir { open read getattr search }; |
76 | allow droidvold init:file r_file_perms; |
77 | allow droidvold init:dir { r_dir_perms search }; |
78 | |
79 | allow droidvold platform_app:lnk_file { open getattr read }; |
80 | allow droidvold init:lnk_file { open getattr read }; |
81 | allow droidvold untrusted_app:lnk_file { open getattr read }; |
82 | |
83 | |
84 | # Allowed read-only access to droidvold block devices to extract UUID/label |
85 | allow droidvold vold_device:blk_file r_file_perms; |
86 | allow droidvold sda_block_device:dir search; |
87 | allow droidvold sda_block_device:blk_file r_file_perms; |
88 | |
89 | allow droidvold fuse_device:chr_file r_file_perms; |
90 | |
91 | allow droidvold devpts:chr_file rw_file_perms; |
92 | |
93 | domain_auto_trans(droidvold, ntfs_3g_exec, ntfs_3g); |
94 |