Something went wrong on our end
Select Git revision
-
Jeff Sharkey authoredDefine an explicit label for /proc/sys/vm/drop_caches and grant to the various people who need it, including vold which uses it when performing storage benchmarks. Also let vold create new directories under it's private storage area where the benchmarks will be carried out. Mirror the definition of the private storage area on expanded media. avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0 Bug: 21172095 Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23fJeff Sharkey authoredDefine an explicit label for /proc/sys/vm/drop_caches and grant to the various people who need it, including vold which uses it when performing storage benchmarks. Also let vold create new directories under it's private storage area where the benchmarks will be carried out. Mirror the definition of the private storage area on expanded media. avc: denied { write } for name="drop_caches" dev="proc" ino=20524 scontext=u:r:vold:s0 tcontext=u:object_r:proc:s0 tclass=file permissive=0 Bug: 21172095 Change-Id: I300b1cdbd235ff60e64064d3ba6e5ea783baf23f
vold.te 5.85 KiB
# volume manager
type vold, domain;
type vold_exec, exec_type, file_type;
init_daemon_domain(vold)
# Switch to more restrictive domains when executing common tools
domain_auto_trans(vold, sgdisk_exec, sgdisk);
domain_auto_trans(vold, sdcardd_exec, sdcardd);
# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, shell_exec, blkid);
domain_trans(vold, shell_exec, blkid_untrusted);
domain_trans(vold, fsck_exec, fsck);
domain_trans(vold, fsck_exec, fsck_untrusted);
# Allow us to jump into execution domains of above tools
allow vold self:process setexec;
# For sgdisk launched through popen()
allow vold shell_exec:file rx_file_perms;
typeattribute vold mlstrustedsubject;
allow vold self:process setfscreate;
allow vold system_file:file x_file_perms;
allow vold block_device:dir create_dir_perms;
allow vold block_device:blk_file create_file_perms;
auditallow vold block_device:blk_file create_file_perms;
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
allow vold rootfs:dir mounton;
allow vold sdcard_type:dir mounton; # TODO: deprecated in M
allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
# Manage locations where storage is mounted
allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
# Access to storage that backs emulated FUSE daemons for migration optimization
allow vold media_rw_data_file:dir create_dir_perms;
allow vold media_rw_data_file:file create_file_perms;
# Newly created storage dirs are always treated as mount stubs to prevent us
# from accidentally writing when the mount point isn't present.
type_transition vold storage_file:dir storage_stub_file;
type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
# Allow mounting of storage devices
allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };
allow vold sdcard_type:filesystem { mount unmount remount };
# Manage per-user primary symlinks
allow vold mnt_user_file:dir create_dir_perms;
allow vold mnt_user_file:lnk_file create_file_perms;
# Allow to create and mount expanded storage
allow vold mnt_expand_file:dir { create_dir_perms mounton };
allow vold apk_data_file:dir { create getattr setattr };
allow vold shell_data_file:dir { create getattr setattr };
allow vold tmpfs:filesystem { mount unmount };
allow vold tmpfs:dir create_dir_perms;
allow vold tmpfs:dir mounton;
allow vold self:capability { net_admin dac_override mknod sys_admin chown fowner fsetid };
allow vold self:netlink_kobject_uevent_socket create_socket_perms;
allow vold app_data_file:dir search;
allow vold app_data_file:file rw_file_perms;