xref: /aosp_15_r20/system/sepolicy/microdroid/system/private/encryptedstore.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1# encryptedstore is a program that provides (encrypted) storage solution in a VM based on dm-crypt
2
3type encryptedstore, domain, coredomain;
4type encryptedstore_exec, exec_type, file_type, system_file_type;
5
6# encryptedstore is using bootstrap bionic
7use_bootstrap_libs(encryptedstore)
8
9# encryptedstore require access to block device directory to map dm-crypt
10r_dir_file(encryptedstore, block_device)
11
12# encryptedstore accesses /dev/vd* block device file.
13allow encryptedstore vd_device:blk_file rw_file_perms;
14
15# allow encryptedstore to create dm-crypt devices
16allow encryptedstore dm_device:{ chr_file blk_file } rw_file_perms;
17
18# sys_admin is required to access the device-mapper and mount
19allow encryptedstore self:global_capability_class_set sys_admin;
20
21# encryptedstore is forked from microdroid_manager
22allow encryptedstore microdroid_manager:fd use;
23
24# For formatting encrypted storage device
25allow encryptedstore e2fs_exec:file { rx_file_perms };
26allowxperm encryptedstore dm_device:blk_file ioctl {
27  BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKDISCARD
28};
29
30# access /sys/fs/ext4/features - required because encryptedstore runs mkfs.ext4 in its own domain
31allow encryptedstore sysfs_fs_ext4_features:dir search;
32allow encryptedstore sysfs_fs_ext4_features:file r_file_perms;
33
34# encryptedstore to mount on tmpfs bases directory (/mnt/)
35allow encryptedstore tmpfs:dir  { add_name create mounton write };
36
37# encryptedstore relabels the labeledfs to encryptedstore_fs, then mounts on the latter
38allow encryptedstore labeledfs:filesystem { relabelfrom };
39allow encryptedstore encryptedstore_fs:filesystem { mount unmount relabelto relabelfrom };
40
41# chmod the root directory
42allow encryptedstore encryptedstore_file:dir setattr;
43
44# allow encryptedstore to log to the kernel
45allow encryptedstore kmsg_device:chr_file w_file_perms;
46
47# Allow encryptedstore to write kmsg_debug (stdio_to_kmsg).
48allow encryptedstore kmsg_debug_device:chr_file w_file_perms;
49
50# Only microdroid_manager can run encryptedstore
51neverallow { domain -microdroid_manager } encryptedstore:process { transition dyntransition };
52