private/vold.te - platform/system/sepolicy - Git at Google

 # type_transition must be private policy the domain_trans rules could stay
 # public, but conceptually should go with this
 init_daemon_domain(vold)

 # Switch to more restrictive domains when executing common tools
 domain_auto_trans(vold, sgdisk_exec, sgdisk);
 domain_auto_trans(vold, sdcardd_exec, sdcardd);

 # For a handful of probing tools, we choose an even more restrictive
 # domain when working with untrusted block devices
 domain_trans(vold, shell_exec, blkid);
 domain_trans(vold, shell_exec, blkid_untrusted);
 domain_trans(vold, fsck_exec, fsck);
 domain_trans(vold, fsck_exec, fsck_untrusted);

 # Newly created storage dirs are always treated as mount stubs to prevent us
 # from accidentally writing when the mount point isn't present.
 type_transition vold storage_file:dir storage_stub_file;
 type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;
	# type_transition must be private policy the domain_trans rules could stay
	# public, but conceptually should go with this
	init_daemon_domain(vold)

	# Switch to more restrictive domains when executing common tools
	domain_auto_trans(vold, sgdisk_exec, sgdisk);
	domain_auto_trans(vold, sdcardd_exec, sdcardd);

	# For a handful of probing tools, we choose an even more restrictive
	# domain when working with untrusted block devices
	domain_trans(vold, shell_exec, blkid);
	domain_trans(vold, shell_exec, blkid_untrusted);
	domain_trans(vold, fsck_exec, fsck);
	domain_trans(vold, fsck_exec, fsck_untrusted);

	# Newly created storage dirs are always treated as mount stubs to prevent us
	# from accidentally writing when the mount point isn't present.
	type_transition vold storage_file:dir storage_stub_file;
	type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;