Lines Matching refs:vold
2 type vold, domain;
6 allow vold cache_file:dir r_dir_perms;
7 allow vold cache_file:file { getattr read };
8 allow vold cache_file:lnk_file r_file_perms;
10 r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
12 allow vold {
22 r_dir_file(vold, rootfs)
23 r_dir_file(vold, metadata_file)
24 allow vold {
34 allow vold file_contexts_file:file r_file_perms;
37 allow vold self:process setexec;
40 allow vold e2fs_exec:file rx_file_perms;
44 allowxperm vold { fs_type file_type }:dir ioctl FITRIM;
48 allowxperm vold data_file_type:dir ioctl {
55 # Only vold and init should ever set file-based encryption policies.
58 -vold
63 # Only vold should ever add/remove file-based encryption keys.
66 -vold
71 allowxperm vold vold_data_file:file ioctl {
75 typeattribute vold mlstrustedsubject;
76 allow vold self:process setfscreate;
77 allow vold system_file:file x_file_perms;
78 not_full_treble(`allow vold vendor_file:file x_file_perms;')
79 allow vold block_device:dir create_dir_perms;
80 allow vold device:dir write;
81 allow vold devpts:chr_file rw_file_perms;
82 allow vold rootfs:dir mounton;
83 allow vold sdcard_type:dir mounton; # TODO: deprecated in M
84 allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
85 allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
86 allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
89 allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
90 allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
93 allow vold media_rw_data_file:dir create_dir_perms;
94 allow vold media_rw_data_file:file create_file_perms;
96 allow vold media_rw_data_file:dir mounton;
100 allowxperm vold media_rw_data_file:{ dir file } ioctl {
108 allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr …
111 allow vold mnt_user_file:dir { create_dir_perms mounton };
112 allow vold mnt_user_file:lnk_file create_file_perms;
113 allow vold mnt_user_file:file create_file_perms;
116 allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
117 allow vold mnt_pass_through_file:lnk_file create_file_perms;
120 allow vold mnt_expand_file:dir { create_dir_perms mounton };
121 allow vold apk_data_file:dir { create getattr setattr };
122 allow vold shell_data_file:dir { create getattr setattr };
125 allow vold apk_data_file:dir { mounton rw_dir_perms };
127 allow vold apk_data_file:file rw_file_perms;
129 allow vold apk_tmp_file:dir { mounton r_dir_perms };
131 allow vold incremental_control_file:file { r_file_perms relabelto };
133 allow vold tmpfs:filesystem { mount unmount };
134 allow vold tmpfs:dir create_dir_perms;
135 allow vold tmpfs:dir mounton;
136 allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admi…
137 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
138 allow vold loop_control_device:chr_file rw_file_perms;
139 allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
140 allowxperm vold loop_device:blk_file ioctl {
147 allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
148 allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
149 allow vold dm_device:chr_file rw_file_perms;
150 allow vold dm_device:blk_file rw_file_perms;
151 allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
152 # For vold Process::killProcessesWithOpenFiles function.
153 allow vold domain:dir r_dir_perms;
154 allow vold domain:{ file lnk_file } r_file_perms;
155 allow vold domain:process { signal sigkill };
156 allow vold self:global_capability_class_set { sys_ptrace kill };
158 allow vold kmsg_device:chr_file rw_file_perms;
161 allow vold fsck_exec:file { r_file_perms execute };
164 allow vold fscklogs:dir rw_dir_perms;
165 allow vold fscklogs:file create_file_perms;
172 allow vold labeledfs:filesystem { mount unmount remount };
176 allow vold efs_file:file rw_file_perms;
179 allow vold {
183 allow vold system_data_file:lnk_file getattr;
186 allow vold vendor_data_file:dir create_dir_perms;
189 allow vold system_data_file:file read;
192 allow vold kernel:process setsched;
195 set_prop(vold, vold_prop)
196 set_prop(vold, exported_vold_prop)
197 set_prop(vold, exported2_vold_prop)
198 set_prop(vold, powerctl_prop)
199 set_prop(vold, ctl_fuse_prop)
200 set_prop(vold, restorecon_prop)
201 set_prop(vold, ota_prop)
202 set_prop(vold, boottime_prop)
203 get_prop(vold, storage_config_prop)
204 get_prop(vold, incremental_prop)
207 allow vold asec_image_file:file create_file_perms;
208 allow vold asec_image_file:dir rw_dir_perms;
209 allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
210 allow vold asec_public_file:dir { relabelto setattr };
211 allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
212 allow vold asec_public_file:file { relabelto setattr };
214 allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
215 allow vold unlabeled:file { r_file_perms setattr relabelfrom };
218 allow vold fusectlfs:file rw_file_perms;
219 allow vold fusectlfs:dir rw_dir_perms;
222 wakelock_use(vold)
224 # Allow vold to publish a binder service and make binder calls.
225 binder_use(vold)
226 add_service(vold, vold_service)
228 # Allow vold to call into the system server so it can check permissions.
229 binder_call(vold, system_server)
230 allow vold permission_service:service_manager find;
233 binder_call(vold, healthd)
236 hal_client_domain(vold, hal_keymaster)
239 hal_client_domain(vold, hal_health_storage)
242 full_treble_only(`hal_client_domain(vold, hal_bootctl)')
245 allow vold userdata_block_device:blk_file rw_file_perms;
246 allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
249 allow vold metadata_block_device:blk_file rw_file_perms;
251 # Allow vold to manipulate /data/unencrypted
252 allow vold unencrypted_data_file:{ file } create_file_perms;
253 allow vold unencrypted_data_file:dir create_dir_perms;
256 allow vold proc_drop_caches:file w_file_perms;
258 # Give vold a place where only vold can store files; everyone else is off limits
259 allow vold vold_data_file:dir create_dir_perms;
260 allow vold vold_data_file:file create_file_perms;
263 allow vold vold_metadata_file:dir create_dir_perms;
264 allow vold vold_metadata_file:file create_file_perms;
267 allow vold init:key { write search setattr };
268 allow vold vold:key { write search setattr };
270 # vold temporarily changes its priority when running benchmarks
271 allow vold self:global_capability_class_set sys_nice;
273 # vold needs to chroot into app namespaces to remount when runtime permissions change
274 allow vold self:global_capability_class_set sys_chroot;
275 allow vold storage_file:dir mounton;
278 allow vold fuse_device:chr_file rw_file_perms;
279 allow vold fuse:filesystem { relabelfrom };
280 allow vold app_fusefs:filesystem { relabelfrom relabelto };
281 allow vold app_fusefs:filesystem { mount unmount };
282 allow vold app_fuse_file:dir rw_dir_perms;
283 allow vold app_fuse_file:file { read write open getattr append };
286 allow vold toolbox_exec:file rx_file_perms;
289 allow vold user_profile_data_file:dir create_dir_perms;
292 allow vold misc_block_device:blk_file w_file_perms;
294 # vold might need to search or mount /mnt/vendor/*
295 allow vold mnt_vendor_file:dir search;
297 dontaudit vold self:global_capability_class_set sys_resource;
299 # vold needs to know whether we're running a GSI.
300 allow vold gsi_metadata_file:dir r_dir_perms;
301 allow vold gsi_metadata_file:file r_file_perms;
305 -vold
312 -vold
319 -vold
325 -vold
332 -vold
340 -vold
344 neverallow { domain -vold -init } restorecon_prop:property_service set;
350 -vold
355 neverallow vold {
369 neverallow vold fsck_exec:file execute_no_trans;
370 neverallow { domain -init } vold:process { transition dyntransition };
371 neverallow vold *:process ptrace;
372 neverallow vold *:rawip_socket *;