Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 5ef8686428bfe2729b9ed33b8466ac8fc828244a / . / private / vold.te
blob: 93a3515324eb77565bd21c274141500939f0b56e [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]1typeattribute vold coredomain;
2
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]3init_daemon_domain(vold)
4
5# Switch to more restrictive domains when executing common tools
6domain_auto_trans(vold, sgdisk_exec, sgdisk);
7domain_auto_trans(vold, sdcardd_exec, sdcardd);
8
9# For a handful of probing tools, we choose an even more restrictive
10# domain when working with untrusted block devices
Paul Crowleyf9f75392018-11-30 15:58:26 -0800[diff] [blame]11domain_trans(vold, blkid_exec, blkid);
12domain_trans(vold, blkid_exec, blkid_untrusted);
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]13domain_trans(vold, fsck_exec, fsck);
14domain_trans(vold, fsck_exec, fsck_untrusted);
15
16# Newly created storage dirs are always treated as mount stubs to prevent us
17# from accidentally writing when the mount point isn't present.
18type_transition vold storage_file:dir storage_stub_file;
19type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]20
21# Property Service
Inseob Kim3f5a7d22020-04-06 20:49:17 +0900[diff] [blame]22get_prop(vold, vold_config_prop)
Martijn Coenen01234d32020-04-10 14:11:49 +0200[diff] [blame]23get_prop(vold, storage_config_prop);
Songchun Fan9fdcbcd2020-04-28 13:24:54 -0700[diff] [blame]24get_prop(vold, incremental_prop);
Inseob Kim3f5a7d22020-04-06 20:49:17 +0900[diff] [blame]25
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]26set_prop(vold, vold_prop)
Inseob Kim3f5a7d22020-04-06 20:49:17 +0900[diff] [blame]27set_prop(vold, vold_status_prop)
Inseob Kim55e5c9b2020-03-04 17:20:35 +0900[diff] [blame]28set_prop(vold, powerctl_prop)
29set_prop(vold, ctl_fuse_prop)
30set_prop(vold, restorecon_prop)
31set_prop(vold, ota_prop)
32set_prop(vold, boottime_prop)
Inseob Kim42c7d892020-03-04 17:20:35 +0900[diff] [blame]33set_prop(vold, boottime_public_prop)
Janis Danisevskis32d77382020-07-31 22:22:49 -0700[diff] [blame]34
35# Vold will use Keystore instead of using Keymint directly. But it still needs
36# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
37allow vold vold_key:keystore2_key {
Satya Tangirala06533742021-03-08 09:48:42 -0800[diff] [blame]38 convert_storage_key_to_ephemeral
Janis Danisevskis32d77382020-07-31 22:22:49 -0700[diff] [blame]39 delete
40 get_info
Janis Danisevskis32d77382020-07-31 22:22:49 -0700[diff] [blame]41 manage_blob
42 rebind
43 req_forced_op
44 update
45 use
46};
Xin Li11da9e62020-08-29 01:45:24 -0700[diff] [blame]47
Satya Tangirala5ef86862021-03-11 03:57:03 -0800[diff] [blame^]48# vold needs to find keystore2 services
49allow vold keystore_maintenance_service:service_manager find;
50
51# vold needs to be able to call earlyBootEnded()
52allow vold keystore:keystore2 early_boot_ended;
53
Yo Chiangffe786e2020-10-07 13:59:52 +0800[diff] [blame]54neverallow {
55 domain
56 -system_server
57 -vdc
58 -vold
59 -update_verifier
60 -apexd
61 -gsid
62} vold_service:service_manager find;