1typeattribute sdcardd coredomain; 2 3type_transition sdcardd system_data_file:{ dir file } media_rw_data_file; 4 5allow sdcardd cgroup:dir create_dir_perms; 6allow sdcardd cgroup_v2:dir create_dir_perms; 7allow sdcardd fuse_device:chr_file rw_file_perms; 8allow sdcardd rootfs:dir mounton; # TODO: deprecated in M 9allow sdcardd sdcardfs:filesystem remount; 10allow sdcardd tmpfs:dir r_dir_perms; 11allow sdcardd mnt_media_rw_file:dir r_dir_perms; 12allow sdcardd storage_file:dir search; 13allow sdcardd storage_stub_file:dir { search mounton }; 14allow sdcardd { sdcard_type fuse }:filesystem { mount unmount }; 15allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource }; 16 17allow sdcardd { sdcard_type fuse }:dir create_dir_perms; 18allow sdcardd { sdcard_type fuse }:file create_file_perms; 19 20allow sdcardd media_rw_data_file:dir create_dir_perms; 21allow sdcardd media_rw_data_file:file create_file_perms; 22 23# Read /data/system/packages.list. 24allow sdcardd system_data_file:file r_file_perms; 25allow sdcardd packages_list_file:file r_file_perms; 26 27# Read /data/misc/installd/layout_version 28allow sdcardd install_data_file:file r_file_perms; 29allow sdcardd install_data_file:dir search; 30 31# Allow stdin/out back to vold 32allow sdcardd vold:fd use; 33allow sdcardd vold:fifo_file { read write getattr }; 34 35# Allow running on top of expanded storage 36allow sdcardd mnt_expand_file:dir search; 37 38# access /proc/filesystems 39allow sdcardd proc_filesystems:file r_file_perms; 40 41### 42### neverallow rules 43### 44 45# The sdcard daemon should no longer be started from init 46neverallow init sdcardd_exec:file execute; 47neverallow init sdcardd:process { transition dyntransition }; 48