xref: /aosp_15_r20/system/sepolicy/prebuilts/api/34.0/private/vold_prepare_subdirs.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
2
3typeattribute vold_prepare_subdirs mlstrustedsubject;
4
5allow vold_prepare_subdirs system_file:file execute_no_trans;
6allow vold_prepare_subdirs shell_exec:file rx_file_perms;
7allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
8allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
9allow vold_prepare_subdirs vold:fd use;
10allow vold_prepare_subdirs vold:fifo_file { read write };
11allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
12allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
13allow vold_prepare_subdirs self:process setfscreate;
14allow vold_prepare_subdirs {
15  sdk_sandbox_system_data_file
16  system_data_file
17  vendor_data_file
18}:dir { open read write add_name remove_name rmdir relabelfrom };
19allow vold_prepare_subdirs {
20    apex_data_file_type
21    apex_module_data_file
22    apex_rollback_data_file
23    backup_data_file
24    checkin_data_file
25    face_vendor_data_file
26    fingerprint_vendor_data_file
27    iris_vendor_data_file
28    rollback_data_file
29    storaged_data_file
30    sdk_sandbox_data_file
31    sdk_sandbox_system_data_file
32    system_data_file
33    vold_data_file
34}:dir { create_dir_perms relabelto };
35allow vold_prepare_subdirs {
36    apex_data_file_type
37    apex_art_staging_data_file
38    apex_module_data_file
39    apex_rollback_data_file
40    backup_data_file
41    checkin_data_file
42    face_vendor_data_file
43    fingerprint_vendor_data_file
44    iris_vendor_data_file
45    rollback_data_file
46    storaged_data_file
47    sdk_sandbox_data_file
48    system_data_file
49    vold_data_file
50}:file { getattr unlink };
51allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
52allow vold_prepare_subdirs mnt_expand_file:dir search;
53allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
54allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
55
56# Migrate legacy labels to apex_system_server_data_file (b/217581286)
57allow vold_prepare_subdirs {
58  apex_appsearch_data_file
59  apex_permission_data_file
60  apex_scheduling_data_file
61  apex_tethering_data_file
62  apex_wifi_data_file
63}:dir relabelfrom;
64
65# /data/misc is unlabeled during early boot.
66allow vold_prepare_subdirs unlabeled:dir search;
67
68dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
69