1*e4a36f41SAndroid Build Coastguard Workertypeattribute vold coredomain; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workerinit_daemon_domain(vold) 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# Switch to more restrictive domains when executing common tools 6*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(vold, sgdisk_exec, sgdisk); 7*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(vold, sdcardd_exec, sdcardd); 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# For a handful of probing tools, we choose an even more restrictive 10*e4a36f41SAndroid Build Coastguard Worker# domain when working with untrusted block devices 11*e4a36f41SAndroid Build Coastguard Workerdomain_trans(vold, blkid_exec, blkid); 12*e4a36f41SAndroid Build Coastguard Workerdomain_trans(vold, blkid_exec, blkid_untrusted); 13*e4a36f41SAndroid Build Coastguard Workerdomain_trans(vold, fsck_exec, fsck); 14*e4a36f41SAndroid Build Coastguard Workerdomain_trans(vold, fsck_exec, fsck_untrusted); 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker# Newly created storage dirs are always treated as mount stubs to prevent us 17*e4a36f41SAndroid Build Coastguard Worker# from accidentally writing when the mount point isn't present. 18*e4a36f41SAndroid Build Coastguard Workertype_transition vold storage_file:dir storage_stub_file; 19*e4a36f41SAndroid Build Coastguard Workertype_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file; 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Worker# Property Service 22*e4a36f41SAndroid Build Coastguard Workerget_prop(vold, vold_config_prop) 23*e4a36f41SAndroid Build Coastguard Workerget_prop(vold, storage_config_prop); 24*e4a36f41SAndroid Build Coastguard Workerget_prop(vold, incremental_prop); 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, vold_post_fs_data_prop) 27*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, vold_prop) 28*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, vold_status_prop) 29*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, powerctl_prop) 30*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, ctl_fuse_prop) 31*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, restorecon_prop) 32*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, ota_prop) 33*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, boottime_prop) 34*e4a36f41SAndroid Build Coastguard Workerset_prop(vold, boottime_public_prop) 35*e4a36f41SAndroid Build Coastguard Worker 36*e4a36f41SAndroid Build Coastguard Worker# Vold will use Keystore instead of using Keymint directly. But it still needs 37*e4a36f41SAndroid Build Coastguard Worker# to manage its Keymint blobs. This is why it needs the `manage_blob` permission. 38*e4a36f41SAndroid Build Coastguard Workerallow vold vold_key:keystore2_key { 39*e4a36f41SAndroid Build Coastguard Worker convert_storage_key_to_ephemeral 40*e4a36f41SAndroid Build Coastguard Worker delete 41*e4a36f41SAndroid Build Coastguard Worker get_info 42*e4a36f41SAndroid Build Coastguard Worker manage_blob 43*e4a36f41SAndroid Build Coastguard Worker rebind 44*e4a36f41SAndroid Build Coastguard Worker req_forced_op 45*e4a36f41SAndroid Build Coastguard Worker update 46*e4a36f41SAndroid Build Coastguard Worker use 47*e4a36f41SAndroid Build Coastguard Worker}; 48*e4a36f41SAndroid Build Coastguard Worker 49*e4a36f41SAndroid Build Coastguard Worker# vold needs to call keystore methods 50*e4a36f41SAndroid Build Coastguard Workerallow vold keystore:binder call; 51*e4a36f41SAndroid Build Coastguard Worker 52*e4a36f41SAndroid Build Coastguard Worker# vold needs to find keystore2 services 53*e4a36f41SAndroid Build Coastguard Workerallow vold keystore_service:service_manager find; 54*e4a36f41SAndroid Build Coastguard Workerallow vold keystore_maintenance_service:service_manager find; 55*e4a36f41SAndroid Build Coastguard Worker 56*e4a36f41SAndroid Build Coastguard Worker# vold needs to be able to call earlyBootEnded() and deleteAllKeys() 57*e4a36f41SAndroid Build Coastguard Workerallow vold keystore:keystore2 early_boot_ended; 58*e4a36f41SAndroid Build Coastguard Workerallow vold keystore:keystore2 delete_all_keys; 59*e4a36f41SAndroid Build Coastguard Worker 60*e4a36f41SAndroid Build Coastguard Workerneverallow { 61*e4a36f41SAndroid Build Coastguard Worker domain 62*e4a36f41SAndroid Build Coastguard Worker -system_server 63*e4a36f41SAndroid Build Coastguard Worker -vdc 64*e4a36f41SAndroid Build Coastguard Worker -vold 65*e4a36f41SAndroid Build Coastguard Worker -update_verifier 66*e4a36f41SAndroid Build Coastguard Worker -apexd 67*e4a36f41SAndroid Build Coastguard Worker -gsid 68*e4a36f41SAndroid Build Coastguard Worker} vold_service:service_manager find; 69