private/vold.te

typeattribute vold coredomain;

init_daemon_domain(vold)

# Switch to more restrictive domains when executing common tools
domain_auto_trans(vold, sgdisk_exec, sgdisk);
domain_auto_trans(vold, sdcardd_exec, sdcardd);

# For a handful of probing tools, we choose an even more restrictive
# domain when working with untrusted block devices
domain_trans(vold, blkid_exec, blkid);
domain_trans(vold, blkid_exec, blkid_untrusted);
domain_trans(vold, fsck_exec, fsck);
domain_trans(vold, fsck_exec, fsck_untrusted);

# Newly created storage dirs are always treated as mount stubs to prevent us
# from accidentally writing when the mount point isn't present.
type_transition vold storage_file:dir storage_stub_file;
type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;

# Property Service
get_prop(vold, vold_config_prop)
get_prop(vold, storage_config_prop);
get_prop(vold, incremental_prop);
get_prop(vold, gsid_prop);

set_prop(vold, vold_prop)
set_prop(vold, vold_status_prop)
set_prop(vold, powerctl_prop)
set_prop(vold, ctl_fuse_prop)
set_prop(vold, restorecon_prop)
set_prop(vold, ota_prop)
set_prop(vold, boottime_prop)
set_prop(vold, boottime_public_prop)

# Vold will use Keystore instead of using Keymint directly. But it still needs
# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
allow vold vold_key:keystore2_key {
    convert_storage_key_to_ephemeral
    delete
    get_info
    manage_blob
    rebind
    req_forced_op
    update
    use
};

# vold needs to call keystore methods
allow vold keystore:binder call;

# vold needs to find keystore2 services
allow vold keystore_service:service_manager find;
allow vold keystore_maintenance_service:service_manager find;

# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
allow vold keystore:keystore2 early_boot_ended;
allow vold keystore:keystore2 delete_all_keys;

neverallow {
    domain
    -system_server
    -vdc
    -vold
    -update_verifier
    -apexd
    -gsid
} vold_service:service_manager find;

# Allow vold to create and delete per-user directories like /data/user/$userId.
allow vold {
    media_userdir_file
    system_userdir_file
    vendor_userdir_file
}:dir {
    add_name
    remove_name
    write
};

# Only vold should create (and delete) per-user directories like
# /data/user/$userId.  This is very important, as these directories need to be
# encrypted with per-user keys, which only vold can do.  Encryption can only be
# set up on empty directories, so creation and encryption must happen together.
#
# Exception: init creates /data/user/0 and /data/media/obb, so that needs to be
# allowed for now.  (/data/media/obb isn't actually a per-user directory, but
# it's located in /data/media so it constrains the sepolicy for that directory.)
neverallow {
    domain
    -vold
} {
    vendor_userdir_file
}:dir {
    add_name
    remove_name
    write
};
neverallow {
    domain
    -vold
    -init
} {
    system_userdir_file
    media_userdir_file
}:dir {
    add_name
    remove_name
    write
};