Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / refs/heads/android-16 / . / private / sdcardd.te
blob: 7cea8900019c147c40f235d2fb4a735ba6390cea [file] [log] [blame]
Alex Klyubinf5446eb2017-03-23 14:27:32 -0700[diff] [blame]1typeattribute sdcardd coredomain;
2
dcashmancc39f632016-07-22 13:13:11 -0700[diff] [blame]3type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
Inseob Kim75806ef2024-03-27 17:18:41 +0900[diff] [blame]4
5allow sdcardd cgroup:dir create_dir_perms;
6allow sdcardd cgroup_v2:dir create_dir_perms;
7allow sdcardd fuse_device:chr_file rw_file_perms;
8allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
9allow sdcardd sdcardfs:filesystem remount;
10allow sdcardd tmpfs:dir r_dir_perms;
11allow sdcardd mnt_media_rw_file:dir r_dir_perms;
12allow sdcardd storage_file:dir search;
13allow sdcardd storage_stub_file:dir { search mounton };
14allow sdcardd { sdcard_type fuse }:filesystem { mount unmount };
15allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
16
17allow sdcardd { sdcard_type fuse }:dir create_dir_perms;
18allow sdcardd { sdcard_type fuse }:file create_file_perms;
19
20allow sdcardd media_rw_data_file:dir create_dir_perms;
21allow sdcardd media_rw_data_file:file create_file_perms;
22
23# Read /data/system/packages.list.
24allow sdcardd system_data_file:file r_file_perms;
25allow sdcardd packages_list_file:file r_file_perms;
26
27# Read /data/misc/installd/layout_version
28allow sdcardd install_data_file:file r_file_perms;
29allow sdcardd install_data_file:dir search;
30
31# Allow stdin/out back to vold
32allow sdcardd vold:fd use;
33allow sdcardd vold:fifo_file { read write getattr };
34
35# Allow running on top of expanded storage
36allow sdcardd mnt_expand_file:dir search;
37
38# access /proc/filesystems
39allow sdcardd proc_filesystems:file r_file_perms;
40
41###
42### neverallow rules
43###
44
45# The sdcard daemon should no longer be started from init
46neverallow init sdcardd_exec:file execute;
47neverallow init sdcardd:process { transition dyntransition };