1*e4a36f41SAndroid Build Coastguard Workerdomain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs) 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workertypeattribute vold_prepare_subdirs coredomain; 4*e4a36f41SAndroid Build Coastguard Workertypeattribute vold_prepare_subdirs mlstrustedsubject; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs system_file:file execute_no_trans; 7*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs shell_exec:file rx_file_perms; 8*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs toolbox_exec:file rx_file_perms; 9*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs devpts:chr_file rw_file_perms; 10*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs vold:fd use; 11*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs vold:fifo_file { read write }; 12*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs file_contexts_file:file r_file_perms; 13*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs seapp_contexts_file:file r_file_perms; 14*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner }; 15*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs self:process setfscreate; 16*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs { 17*e4a36f41SAndroid Build Coastguard Worker sdk_sandbox_system_data_file 18*e4a36f41SAndroid Build Coastguard Worker system_data_file 19*e4a36f41SAndroid Build Coastguard Worker vendor_data_file 20*e4a36f41SAndroid Build Coastguard Worker}:dir { open read write add_name remove_name rmdir relabelfrom }; 21*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs { 22*e4a36f41SAndroid Build Coastguard Worker apex_data_file_type 23*e4a36f41SAndroid Build Coastguard Worker apex_module_data_file 24*e4a36f41SAndroid Build Coastguard Worker apex_rollback_data_file 25*e4a36f41SAndroid Build Coastguard Worker backup_data_file 26*e4a36f41SAndroid Build Coastguard Worker checkin_data_file 27*e4a36f41SAndroid Build Coastguard Worker face_vendor_data_file 28*e4a36f41SAndroid Build Coastguard Worker fingerprint_vendor_data_file 29*e4a36f41SAndroid Build Coastguard Worker iris_vendor_data_file 30*e4a36f41SAndroid Build Coastguard Worker rollback_data_file 31*e4a36f41SAndroid Build Coastguard Worker is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file') 32*e4a36f41SAndroid Build Coastguard Worker storaged_data_file 33*e4a36f41SAndroid Build Coastguard Worker sdk_sandbox_data_file 34*e4a36f41SAndroid Build Coastguard Worker sdk_sandbox_system_data_file 35*e4a36f41SAndroid Build Coastguard Worker system_data_file 36*e4a36f41SAndroid Build Coastguard Worker vold_data_file 37*e4a36f41SAndroid Build Coastguard Worker}:dir { create_dir_perms relabelto }; 38*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs { 39*e4a36f41SAndroid Build Coastguard Worker apex_data_file_type 40*e4a36f41SAndroid Build Coastguard Worker apex_art_staging_data_file 41*e4a36f41SAndroid Build Coastguard Worker apex_module_data_file 42*e4a36f41SAndroid Build Coastguard Worker apex_rollback_data_file 43*e4a36f41SAndroid Build Coastguard Worker backup_data_file 44*e4a36f41SAndroid Build Coastguard Worker checkin_data_file 45*e4a36f41SAndroid Build Coastguard Worker face_vendor_data_file 46*e4a36f41SAndroid Build Coastguard Worker fingerprint_vendor_data_file 47*e4a36f41SAndroid Build Coastguard Worker iris_vendor_data_file 48*e4a36f41SAndroid Build Coastguard Worker rollback_data_file 49*e4a36f41SAndroid Build Coastguard Worker storaged_data_file 50*e4a36f41SAndroid Build Coastguard Worker sdk_sandbox_data_file 51*e4a36f41SAndroid Build Coastguard Worker system_data_file 52*e4a36f41SAndroid Build Coastguard Worker vold_data_file 53*e4a36f41SAndroid Build Coastguard Worker}:file { getattr unlink }; 54*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs apex_mnt_dir:dir { open read }; 55*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs mnt_expand_file:dir search; 56*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom }; 57*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto }; 58*e4a36f41SAndroid Build Coastguard Worker 59*e4a36f41SAndroid Build Coastguard Worker# Allow vold_prepare_subdirs to create storage area directories on behalf of apps. 60*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 61*e4a36f41SAndroid Build Coastguard Worker allow vold_prepare_subdirs { 62*e4a36f41SAndroid Build Coastguard Worker storage_area_dir 63*e4a36f41SAndroid Build Coastguard Worker storage_area_app_dir 64*e4a36f41SAndroid Build Coastguard Worker }:dir { 65*e4a36f41SAndroid Build Coastguard Worker rw_dir_perms 66*e4a36f41SAndroid Build Coastguard Worker create 67*e4a36f41SAndroid Build Coastguard Worker setattr # for chown() and chmod() 68*e4a36f41SAndroid Build Coastguard Worker rmdir 69*e4a36f41SAndroid Build Coastguard Worker unlink 70*e4a36f41SAndroid Build Coastguard Worker relabelfrom # setfilecon 71*e4a36f41SAndroid Build Coastguard Worker relabelto # setfilecon 72*e4a36f41SAndroid Build Coastguard Worker }; 73*e4a36f41SAndroid Build Coastguard Worker 74*e4a36f41SAndroid Build Coastguard Worker # The storage area directories should have type storage_area_dir 75*e4a36f41SAndroid Build Coastguard Worker type_transition vold_prepare_subdirs storage_area_app_dir:dir storage_area_dir; 76*e4a36f41SAndroid Build Coastguard Worker 77*e4a36f41SAndroid Build Coastguard Worker selinux_check_context(vold_prepare_subdirs) 78*e4a36f41SAndroid Build Coastguard Worker 79*e4a36f41SAndroid Build Coastguard Worker allowxperm vold_prepare_subdirs storage_area_dir:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY; 80*e4a36f41SAndroid Build Coastguard Worker') 81*e4a36f41SAndroid Build Coastguard Worker 82*e4a36f41SAndroid Build Coastguard Workeris_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, ` 83*e4a36f41SAndroid Build Coastguard Worker neverallowxperm vold_prepare_subdirs { 84*e4a36f41SAndroid Build Coastguard Worker data_file_type 85*e4a36f41SAndroid Build Coastguard Worker -storage_area_dir 86*e4a36f41SAndroid Build Coastguard Worker }:dir ioctl FS_IOC_SET_ENCRYPTION_POLICY; 87*e4a36f41SAndroid Build Coastguard Worker') 88*e4a36f41SAndroid Build Coastguard Worker 89*e4a36f41SAndroid Build Coastguard Worker# Migrate legacy labels to apex_system_server_data_file (b/217581286) 90*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs { 91*e4a36f41SAndroid Build Coastguard Worker apex_appsearch_data_file 92*e4a36f41SAndroid Build Coastguard Worker apex_permission_data_file 93*e4a36f41SAndroid Build Coastguard Worker apex_scheduling_data_file 94*e4a36f41SAndroid Build Coastguard Worker apex_tethering_data_file 95*e4a36f41SAndroid Build Coastguard Worker apex_wifi_data_file 96*e4a36f41SAndroid Build Coastguard Worker}:dir relabelfrom; 97*e4a36f41SAndroid Build Coastguard Worker 98*e4a36f41SAndroid Build Coastguard Worker# /data/misc is unlabeled during early boot. 99*e4a36f41SAndroid Build Coastguard Workerallow vold_prepare_subdirs unlabeled:dir search; 100*e4a36f41SAndroid Build Coastguard Worker 101*e4a36f41SAndroid Build Coastguard Workerdontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms; 102