xref: /aosp_15_r20/system/sepolicy/prebuilts/api/202404/private/vold.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290)
1*e4a36f41SAndroid Build Coastguard Workertypeattribute vold coredomain;
2*e4a36f41SAndroid Build Coastguard Worker
3*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(vold)
4*e4a36f41SAndroid Build Coastguard Worker
5*e4a36f41SAndroid Build Coastguard Worker# Switch to more restrictive domains when executing common tools
6*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(vold, sgdisk_exec, sgdisk);
7*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(vold, sdcardd_exec, sdcardd);
8*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);
9*e4a36f41SAndroid Build Coastguard Worker
10*e4a36f41SAndroid Build Coastguard Worker# Switch to e2fs domain when running mkfs.ext4 to format a partition
11*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(vold, e2fs_exec, e2fs);
12*e4a36f41SAndroid Build Coastguard Worker
13*e4a36f41SAndroid Build Coastguard Worker
14*e4a36f41SAndroid Build Coastguard Worker# For a handful of probing tools, we choose an even more restrictive
15*e4a36f41SAndroid Build Coastguard Worker# domain when working with untrusted block devices
16*e4a36f41SAndroid Build Coastguard Workerdomain_trans(vold, blkid_exec, blkid);
17*e4a36f41SAndroid Build Coastguard Workerdomain_trans(vold, blkid_exec, blkid_untrusted);
18*e4a36f41SAndroid Build Coastguard Workerdomain_trans(vold, fsck_exec, fsck);
19*e4a36f41SAndroid Build Coastguard Workerdomain_trans(vold, fsck_exec, fsck_untrusted);
20*e4a36f41SAndroid Build Coastguard Worker
21*e4a36f41SAndroid Build Coastguard Worker# Newly created storage dirs are always treated as mount stubs to prevent us
22*e4a36f41SAndroid Build Coastguard Worker# from accidentally writing when the mount point isn't present.
23*e4a36f41SAndroid Build Coastguard Workertype_transition vold storage_file:dir storage_stub_file;
24*e4a36f41SAndroid Build Coastguard Workertype_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
25*e4a36f41SAndroid Build Coastguard Worker
26*e4a36f41SAndroid Build Coastguard Worker# Property Service
27*e4a36f41SAndroid Build Coastguard Workerget_prop(vold, vold_config_prop)
28*e4a36f41SAndroid Build Coastguard Workerget_prop(vold, storage_config_prop);
29*e4a36f41SAndroid Build Coastguard Workerget_prop(vold, incremental_prop);
30*e4a36f41SAndroid Build Coastguard Workerget_prop(vold, gsid_prop);
31*e4a36f41SAndroid Build Coastguard Worker
32*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, vold_prop)
33*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, vold_status_prop)
34*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, powerctl_prop)
35*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, ctl_fuse_prop)
36*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, restorecon_prop)
37*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, ota_prop)
38*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, boottime_prop)
39*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, boottime_public_prop)
40*e4a36f41SAndroid Build Coastguard Worker
41*e4a36f41SAndroid Build Coastguard Worker# Vold will use Keystore instead of using Keymint directly. But it still needs
42*e4a36f41SAndroid Build Coastguard Worker# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
43*e4a36f41SAndroid Build Coastguard Workerallow vold vold_key:keystore2_key {
44*e4a36f41SAndroid Build Coastguard Worker    convert_storage_key_to_ephemeral
45*e4a36f41SAndroid Build Coastguard Worker    delete
46*e4a36f41SAndroid Build Coastguard Worker    get_info
47*e4a36f41SAndroid Build Coastguard Worker    manage_blob
48*e4a36f41SAndroid Build Coastguard Worker    rebind
49*e4a36f41SAndroid Build Coastguard Worker    req_forced_op
50*e4a36f41SAndroid Build Coastguard Worker    update
51*e4a36f41SAndroid Build Coastguard Worker    use
52*e4a36f41SAndroid Build Coastguard Worker};
53*e4a36f41SAndroid Build Coastguard Worker
54*e4a36f41SAndroid Build Coastguard Worker# vold needs to call keystore methods
55*e4a36f41SAndroid Build Coastguard Workerallow vold keystore:binder call;
56*e4a36f41SAndroid Build Coastguard Worker
57*e4a36f41SAndroid Build Coastguard Worker# vold needs to find keystore2 services
58*e4a36f41SAndroid Build Coastguard Workerallow vold keystore_service:service_manager find;
59*e4a36f41SAndroid Build Coastguard Workerallow vold keystore_maintenance_service:service_manager find;
60*e4a36f41SAndroid Build Coastguard Worker
61*e4a36f41SAndroid Build Coastguard Worker# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
62*e4a36f41SAndroid Build Coastguard Workerallow vold keystore:keystore2 early_boot_ended;
63*e4a36f41SAndroid Build Coastguard Workerallow vold keystore:keystore2 delete_all_keys;
64*e4a36f41SAndroid Build Coastguard Worker
65*e4a36f41SAndroid Build Coastguard Workerneverallow {
66*e4a36f41SAndroid Build Coastguard Worker    domain
67*e4a36f41SAndroid Build Coastguard Worker    -system_server
68*e4a36f41SAndroid Build Coastguard Worker    -vdc
69*e4a36f41SAndroid Build Coastguard Worker    -vold
70*e4a36f41SAndroid Build Coastguard Worker    -update_verifier
71*e4a36f41SAndroid Build Coastguard Worker    -apexd
72*e4a36f41SAndroid Build Coastguard Worker    -gsid
73*e4a36f41SAndroid Build Coastguard Worker} vold_service:service_manager find;
74*e4a36f41SAndroid Build Coastguard Worker
75*e4a36f41SAndroid Build Coastguard Worker# Allow vold to create and delete per-user directories like /data/user/$userId.
76*e4a36f41SAndroid Build Coastguard Workerallow vold {
77*e4a36f41SAndroid Build Coastguard Worker    media_userdir_file
78*e4a36f41SAndroid Build Coastguard Worker    system_userdir_file
79*e4a36f41SAndroid Build Coastguard Worker    vendor_userdir_file
80*e4a36f41SAndroid Build Coastguard Worker}:dir {
81*e4a36f41SAndroid Build Coastguard Worker    add_name
82*e4a36f41SAndroid Build Coastguard Worker    remove_name
83*e4a36f41SAndroid Build Coastguard Worker    write
84*e4a36f41SAndroid Build Coastguard Worker};
85*e4a36f41SAndroid Build Coastguard Worker
86*e4a36f41SAndroid Build Coastguard Worker# Only vold should create (and delete) per-user directories like
87*e4a36f41SAndroid Build Coastguard Worker# /data/user/$userId.  This is very important, as these directories need to be
88*e4a36f41SAndroid Build Coastguard Worker# encrypted with per-user keys, which only vold can do.  Encryption can only be
89*e4a36f41SAndroid Build Coastguard Worker# set up on empty directories, so creation and encryption must happen together.
90*e4a36f41SAndroid Build Coastguard Workerneverallow {
91*e4a36f41SAndroid Build Coastguard Worker    domain
92*e4a36f41SAndroid Build Coastguard Worker    -vold
93*e4a36f41SAndroid Build Coastguard Worker} {
94*e4a36f41SAndroid Build Coastguard Worker    media_userdir_file
95*e4a36f41SAndroid Build Coastguard Worker    system_userdir_file
96*e4a36f41SAndroid Build Coastguard Worker    vendor_userdir_file
97*e4a36f41SAndroid Build Coastguard Worker}:dir {
98*e4a36f41SAndroid Build Coastguard Worker    add_name
99*e4a36f41SAndroid Build Coastguard Worker    remove_name
100*e4a36f41SAndroid Build Coastguard Worker    write
101*e4a36f41SAndroid Build Coastguard Worker};
102