Directory for vold to store private data.

Creates new directory at /data/misc/vold for storing key material on internal storage. Only vold should have access to this label. Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465

Directory for vold to store private data.
Creates new directory at /data/misc/vold for storing key material on internal storage. Only vold should have access to this label. Change-Id: I7f2d1314ad3b2686e29e2037207ad83d2d3bf465
4423ecdb · Jeff Sharkey · 5a5b364c · 4423ecdb · 4423ecdb · 4423ecdb
Commit 4423ecdb authored 9 years ago by Jeff Sharkey
--- a/file.te
+++ b/file.te
@@ -110,6 +110,7 @@ type systemkeys_data_file, file_type, data_file_type;
 type vpn_data_file, file_type, data_file_type;
 type wifi_data_file, file_type, data_file_type;
 type zoneinfo_data_file, file_type, data_file_type;
+type vold_data_file, file_type, data_file_type;
 # Compatibility with type names used in vanilla Android 4.3 and 4.4.
 typealias audio_data_file alias audio_firmware_file;

--- a/file_contexts
+++ b/file_contexts
@@ -236,6 +236,7 @@
 /data/misc/wifi/sockets/wpa_ctrl.*   u:object_r:system_wpa_socket:s0
 /data/misc/wifi/hostapd(/.*)?   u:object_r:wpa_socket:s0
 /data/misc/zoneinfo(/.*)?       u:object_r:zoneinfo_data_file:s0
+/data/misc/vold(/.*)?           u:object_r:vold_data_file:s0
 # Bootchart data
 /data/bootchart(/.*)?		u:object_r:bootchart_data_file:s0

--- a/init.te
+++ b/init.te
@@ -82,10 +82,10 @@ allow init rootfs:file relabelfrom;
 # we just allow all file types except /system files here.
 allow init self:capability { chown fowner fsetid };
 allow init {file_type -system_file -exec_type -app_data_file}:dir { create search getattr open read setattr };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:dir { write add_name remove_name rmdir relabelfrom };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:dir { write add_name remove_name rmdir relabelfrom };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:file { create getattr open read write setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:file { create getattr open read write setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:{ sock_file fifo_file } { create getattr open read setattr relabelfrom unlink };
-allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
+allow init {file_type -system_file -exec_type -keystore_data_file -security_file -app_data_file -shell_data_file -vold_data_file}:lnk_file { create getattr setattr relabelfrom unlink };
 allow init {file_type -system_file -exec_type}:dir_file_class_set relabelto;
 allow init sysfs:{ dir file lnk_file } { getattr relabelfrom };
 allow init sysfs_type:{ dir file lnk_file } relabelto;
@@ -156,6 +156,11 @@ allow init domain:process sigkill;
 allow init keystore_data_file:dir { open create read getattr setattr search };
 allow init keystore_data_file:file { getattr };
+# Init creates vold's directory on boot, and walks through
+# the directory as part of a recursive restorecon.
+allow init vold_data_file:dir { open create read getattr setattr search };
+allow init vold_data_file:file { getattr };
 # Init creates /data/local/tmp at boot
 allow init shell_data_file:dir { open create read getattr setattr search };
 allow init shell_data_file:file { getattr };

--- a/vold.te
+++ b/vold.te
@@ -129,3 +129,12 @@ allow vold metadata_block_device:blk_file rw_file_perms;
 # Allow init to manipulate /data/unencrypted
 allow vold unencrypted_data_file:{ file lnk_file } create_file_perms;
 allow vold unencrypted_data_file:dir create_dir_perms;
+# Give vold a place where only vold can store files; everyone else is off limits
+allow vold vold_data_file:dir rw_dir_perms;
+allow vold vold_data_file:file create_file_perms;
+neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto };
+neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
+neverallow { domain -vold -init } vold_data_file:dir *;
+neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;