xref: /aosp_15_r20/system/sepolicy/private/vold_prepare_subdirs.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
2
3typeattribute vold_prepare_subdirs coredomain;
4typeattribute vold_prepare_subdirs mlstrustedsubject;
5
6allow vold_prepare_subdirs system_file:file execute_no_trans;
7allow vold_prepare_subdirs shell_exec:file rx_file_perms;
8allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
9allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
10allow vold_prepare_subdirs vold:fd use;
11allow vold_prepare_subdirs vold:fifo_file { read write };
12allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
13allow vold_prepare_subdirs seapp_contexts_file:file r_file_perms;
14allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
15allow vold_prepare_subdirs self:process setfscreate;
16allow vold_prepare_subdirs {
17  sdk_sandbox_system_data_file
18  system_data_file
19  vendor_data_file
20}:dir { open read write add_name remove_name rmdir relabelfrom };
21allow vold_prepare_subdirs {
22    apex_data_file_type
23    apex_module_data_file
24    apex_rollback_data_file
25    backup_data_file
26    checkin_data_file
27    face_vendor_data_file
28    fingerprint_vendor_data_file
29    iris_vendor_data_file
30    rollback_data_file
31    is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
32    storaged_data_file
33    sdk_sandbox_data_file
34    sdk_sandbox_system_data_file
35    system_data_file
36    vold_data_file
37}:dir { create_dir_perms relabelto };
38allow vold_prepare_subdirs {
39    apex_data_file_type
40    apex_art_staging_data_file
41    apex_module_data_file
42    apex_rollback_data_file
43    backup_data_file
44    checkin_data_file
45    face_vendor_data_file
46    fingerprint_vendor_data_file
47    iris_vendor_data_file
48    rollback_data_file
49    storaged_data_file
50    sdk_sandbox_data_file
51    system_data_file
52    vold_data_file
53}:file { getattr unlink };
54allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
55allow vold_prepare_subdirs mnt_expand_file:dir search;
56allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
57allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
58
59# Allow vold_prepare_subdirs to create storage area directories on behalf of apps.
60is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
61  allow vold_prepare_subdirs {
62      storage_area_dir
63      storage_area_app_dir
64  }:dir {
65      rw_dir_perms
66      create
67      setattr # for chown() and chmod()
68      rmdir
69      unlink
70      relabelfrom # setfilecon
71      relabelto # setfilecon
72  };
73
74  # The storage area directories should have type storage_area_dir
75  type_transition vold_prepare_subdirs storage_area_app_dir:dir storage_area_dir;
76
77  selinux_check_context(vold_prepare_subdirs)
78
79  allowxperm vold_prepare_subdirs storage_area_dir:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY;
80')
81
82is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
83  neverallowxperm vold_prepare_subdirs {
84    data_file_type
85    -storage_area_dir
86  }:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY;
87')
88
89# Migrate legacy labels to apex_system_server_data_file (b/217581286)
90allow vold_prepare_subdirs {
91  apex_appsearch_data_file
92  apex_permission_data_file
93  apex_scheduling_data_file
94  apex_tethering_data_file
95  apex_wifi_data_file
96}:dir relabelfrom;
97
98# /data/misc is unlabeled during early boot.
99allow vold_prepare_subdirs unlabeled:dir search;
100
101dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;
102