xref: /aosp_15_r20/system/sepolicy/prebuilts/api/202404/private/vold.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1typeattribute vold coredomain;
2
3init_daemon_domain(vold)
4
5# Switch to more restrictive domains when executing common tools
6domain_auto_trans(vold, sgdisk_exec, sgdisk);
7domain_auto_trans(vold, sdcardd_exec, sdcardd);
8domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
9
10# Switch to e2fs domain when running mkfs.ext4 to format a partition
11domain_auto_trans(vold, e2fs_exec, e2fs);
12
13
14# For a handful of probing tools, we choose an even more restrictive
15# domain when working with untrusted block devices
16domain_trans(vold, blkid_exec, blkid);
17domain_trans(vold, blkid_exec, blkid_untrusted);
18domain_trans(vold, fsck_exec, fsck);
19domain_trans(vold, fsck_exec, fsck_untrusted);
20
21# Newly created storage dirs are always treated as mount stubs to prevent us
22# from accidentally writing when the mount point isn't present.
23type_transition vold storage_file:dir storage_stub_file;
24type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
25
26# Property Service
27get_prop(vold, vold_config_prop)
28get_prop(vold, storage_config_prop);
29get_prop(vold, incremental_prop);
30get_prop(vold, gsid_prop);
31
32set_prop(vold, vold_prop)
33set_prop(vold, vold_status_prop)
34set_prop(vold, powerctl_prop)
35set_prop(vold, ctl_fuse_prop)
36set_prop(vold, restorecon_prop)
37set_prop(vold, ota_prop)
38set_prop(vold, boottime_prop)
39set_prop(vold, boottime_public_prop)
40
41# Vold will use Keystore instead of using Keymint directly. But it still needs
42# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
43allow vold vold_key:keystore2_key {
44    convert_storage_key_to_ephemeral
45    delete
46    get_info
47    manage_blob
48    rebind
49    req_forced_op
50    update
51    use
52};
53
54# vold needs to call keystore methods
55allow vold keystore:binder call;
56
57# vold needs to find keystore2 services
58allow vold keystore_service:service_manager find;
59allow vold keystore_maintenance_service:service_manager find;
60
61# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
62allow vold keystore:keystore2 early_boot_ended;
63allow vold keystore:keystore2 delete_all_keys;
64
65neverallow {
66    domain
67    -system_server
68    -vdc
69    -vold
70    -update_verifier
71    -apexd
72    -gsid
73} vold_service:service_manager find;
74
75# Allow vold to create and delete per-user directories like /data/user/$userId.
76allow vold {
77    media_userdir_file
78    system_userdir_file
79    vendor_userdir_file
80}:dir {
81    add_name
82    remove_name
83    write
84};
85
86# Only vold should create (and delete) per-user directories like
87# /data/user/$userId.  This is very important, as these directories need to be
88# encrypted with per-user keys, which only vold can do.  Encryption can only be
89# set up on empty directories, so creation and encryption must happen together.
90neverallow {
91    domain
92    -vold
93} {
94    media_userdir_file
95    system_userdir_file
96    vendor_userdir_file
97}:dir {
98    add_name
99    remove_name
100    write
101};
102