private/vold.te - platform/system/sepolicy - Git at Google

 typeattribute vold coredomain;

 init_daemon_domain(vold)

 # Switch to more restrictive domains when executing common tools
 domain_auto_trans(vold, sgdisk_exec, sgdisk);
 domain_auto_trans(vold, sdcardd_exec, sdcardd);
 domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);

 # Switch to e2fs domain when running mkfs.ext4 to format a partition
 domain_auto_trans(vold, e2fs_exec, e2fs);


 # For a handful of probing tools, we choose an even more restrictive
 # domain when working with untrusted block devices
 domain_trans(vold, blkid_exec, blkid);
 domain_trans(vold, blkid_exec, blkid_untrusted);
 domain_trans(vold, fsck_exec, fsck);
 domain_trans(vold, fsck_exec, fsck_untrusted);

 # Newly created storage dirs are always treated as mount stubs to prevent us
 # from accidentally writing when the mount point isn't present.
 type_transition vold storage_file:dir storage_stub_file;
 type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;

 # Property Service
 get_prop(vold, vold_config_prop)
 get_prop(vold, storage_config_prop);
 get_prop(vold, incremental_prop);
 get_prop(vold, gsid_prop);

 set_prop(vold, vold_prop)
 set_prop(vold, vold_status_prop)
 set_prop(vold, powerctl_prop)
 set_prop(vold, ctl_fuse_prop)
 set_prop(vold, restorecon_prop)
 set_prop(vold, ota_prop)
 set_prop(vold, boottime_prop)
 set_prop(vold, boottime_public_prop)

 # Vold will use Keystore instead of using Keymint directly. But it still needs
 # to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
 allow vold vold_key:keystore2_key {
     convert_storage_key_to_ephemeral
     delete
     get_info
     manage_blob
     rebind
     req_forced_op
     update
     use
 };

 # vold needs to call keystore methods
 allow vold keystore:binder call;

 # vold needs to find keystore2 services
 allow vold keystore_service:service_manager find;
 allow vold keystore_maintenance_service:service_manager find;

 # vold needs to be able to call earlyBootEnded() and deleteAllKeys()
 allow vold keystore:keystore2 early_boot_ended;
 allow vold keystore:keystore2 delete_all_keys;

 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
     # Allow vold to encrypt storage area directories on behalf of apps.
     allow vold {
         storage_area_dir
         storage_area_app_dir
     }:dir {
         getattr
         ioctl # for FS_IOC_SET_ENCRYPTION_POLICY
         open
         read # for open(O_RDONLY) for ioctl
         search
     };
 ')

 # when a storage area is created (with `openStorageArea`), vold creates the key
 # and when a storage area is deleted (with `deleteStorageArea`), vold deletes the key
 is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
   allow vold storage_area_key_file:file create_file_perms;
   allow vold storage_area_key_file:dir create_dir_perms;
 ')

 # Allow vold to create and delete per-user directories like /data/user/$userId.
 allow vold {
     media_userdir_file
     system_userdir_file
     vendor_userdir_file
 }:dir {
     add_name
     remove_name
     write
 };

 # Read already opened /cache files.
 allow vold cache_file:dir r_dir_perms;
 allow vold cache_file:file { getattr read };
 allow vold cache_file:lnk_file r_file_perms;

 r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
 # XXX Label sysfs files with a specific type?
 allow vold {
   sysfs # writing to /sys/*/uevent during coldboot.
   sysfs_devices_block
   sysfs_dm
   sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
   sysfs_usb
   sysfs_zram_uevent
   sysfs_fs_f2fs
 }:file w_file_perms;

 r_dir_file(vold, rootfs)
 r_dir_file(vold, metadata_file)
 allow vold {
   proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
   proc_bootconfig
   proc_cmdline
   proc_drop_caches
   proc_filesystems
   proc_meminfo
   proc_mounts
 }:file r_file_perms;

 #Get file contexts
 allow vold file_contexts_file:file r_file_perms;

 # Allow us to jump into execution domains of above tools
 allow vold self:process setexec;

 # For formatting adoptable storage devices
 allow vold e2fs_exec:file rx_file_perms;

 # Run fstrim on mounted partitions
 # allowxperm still requires the ioctl permission for the individual type
 allowxperm vold { fs_type file_type }:dir ioctl FITRIM;

 # Get/set file-based encryption policies on dirs in /data and adoptable storage,
 # and add/remove file-based encryption keys.
 allowxperm vold data_file_type:dir ioctl {
   FS_IOC_GET_ENCRYPTION_POLICY
   FS_IOC_GET_ENCRYPTION_POLICY_EX
   FS_IOC_SET_ENCRYPTION_POLICY
   FS_IOC_ADD_ENCRYPTION_KEY
   FS_IOC_REMOVE_ENCRYPTION_KEY
   FS_IOC_GET_ENCRYPTION_KEY_STATUS
 };

 # Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
 # tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
 # location of the file's blocks on the raw block device to erase.
 allowxperm vold {
   vold_data_file
   vold_metadata_file
   is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
 }:file ioctl {
   F2FS_IOC_SEC_TRIM_FILE
   FS_IOC_FIEMAP
 };

 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
 not_full_treble(`allow vold vendor_file:file x_file_perms;')
 allow vold block_device:dir create_dir_perms;
 allow vold device:dir write;
 allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;
 allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
 allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M

 # Manage locations where storage is mounted
 allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
 allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;

 # Access to storage that backs emulated FUSE daemons for migration optimization
 allow vold media_rw_data_file:dir create_dir_perms;
 allow vold media_rw_data_file:file create_file_perms;
 # Allow mounting (lower filesystem) on parts of media for performance
 allow vold media_rw_data_file:dir mounton;

 # Allow setting project quota IDs and enabling project ID inheritance on
 # /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
 allowxperm vold media_rw_data_file:{ dir file } ioctl {
   FS_IOC_FSGETXATTR
   FS_IOC_FSSETXATTR
   FS_IOC_GETFLAGS
   FS_IOC_SETFLAGS
 };

 # Allow mounting of storage devices
 allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };

 # Manage per-user primary symlinks
 allow vold mnt_user_file:dir { create_dir_perms mounton };
 allow vold mnt_user_file:lnk_file create_file_perms;
 allow vold mnt_user_file:file create_file_perms;

 # Manage per-user pass_through primary symlinks
 allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
 allow vold mnt_pass_through_file:lnk_file create_file_perms;

 # Allow to create and mount expanded storage
 allow vold mnt_expand_file:dir { create_dir_perms mounton };
 allow vold apk_data_file:dir { create getattr setattr };
 allow vold shell_data_file:dir { create getattr setattr };
 allow vold system_userdir_file:dir { create getattr setattr };
 allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
 # Needed to set the casefold flag on /mnt/expand/$volume/media
 allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };

 # Allow to mount incremental file system on /data/incremental and create files
 allow vold apk_data_file:dir { mounton rw_dir_perms };
 # Allow to create and write files in /data/incremental
 allow vold apk_data_file:file { rw_file_perms unlink };
 # Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
 allow vold apk_tmp_file:dir { mounton r_dir_perms };
 # Allow to read incremental control file and call selinux restorecon on it
 allow vold incremental_control_file:file { r_file_perms relabelto };

 allow vold tmpfs:filesystem { mount unmount };
 allow vold tmpfs:dir create_dir_perms;
 allow vold tmpfs:dir mounton;
 allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
 allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
 allow vold loop_control_device:chr_file rw_file_perms;
 allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
 allowxperm vold loop_device:blk_file ioctl {
   LOOP_CLR_FD
   LOOP_CTL_GET_FREE
   LOOP_GET_STATUS64
   LOOP_SET_FD
   LOOP_SET_STATUS64
 };
 allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
 allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
 allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
 # For vold Process::killProcessesWithOpenFiles function.
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
 allow vold domain:process { signal sigkill };
 allow vold self:global_capability_class_set { sys_ptrace kill };

 allow vold kmsg_device:chr_file rw_file_perms;

 # Run fsck in the fsck domain.
 allow vold fsck_exec:file { r_file_perms execute };

 # Log fsck results
 allow vold fscklogs:dir rw_dir_perms;
 allow vold fscklogs:file create_file_perms;

 # Mount and unmount filesystems.
 allow vold labeledfs:filesystem { mount unmount remount };

 # Create and mount on /data/tmp_mnt and management of expansion mounts
 #
 # Also rename per-user encrypted directories such as /data/user/10 from their
 # temporary name ("10.new") to their final name ("10").
 allow vold {
     system_data_file
     system_data_root_file
 }:dir { create_dir_perms mounton };
 allow vold system_data_file:lnk_file getattr;

 # Vold create users in /data/vendor_{ce,de}/[0-9]+
 allow vold vendor_data_file:dir create_dir_perms;

 # for secdiscard
 allow vold system_data_file:file read;

 # Set scheduling policy of kernel processes
 allow vold kernel:process setsched;

 # ASEC
 allow vold asec_image_file:file create_file_perms;
 allow vold asec_image_file:dir rw_dir_perms;
 allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
 allow vold asec_public_file:dir { relabelto setattr };
 allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
 allow vold asec_public_file:file { relabelto setattr };
 # restorecon files in asec containers created on 4.2 or earlier.
 allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
 allow vold unlabeled:file { r_file_perms setattr relabelfrom };

 # Access to FUSE control filesystem to hard-abort FUSE mounts
 allow vold fusectlfs:file rw_file_perms;
 allow vold fusectlfs:dir rw_dir_perms;

 # Allow vold to use wake locks.  Needed for idle maintenance and moving storage.
 wakelock_use(vold)

 # Allow vold to publish a binder service and make binder calls.
 binder_use(vold)
 add_service(vold, vold_service)

 # Allow vold to call into the system server so it can check permissions.
 binder_call(vold, system_server)
 allow vold permission_service:service_manager find;

 # talk to health storage HAL
 hal_client_domain(vold, hal_health_storage)

 # talk to bootloader HAL
 full_treble_only(`hal_client_domain(vold, hal_bootctl)')

 # Access userdata block device.
 allow vold userdata_block_device:blk_file rw_file_perms;
 allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;

 # Access zoned block device.
 allow vold zoned_block_device:blk_file rw_file_perms;

 # Access metadata block device used for encryption meta-data.
 allow vold metadata_block_device:blk_file rw_file_perms;
 allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;

 # Allow vold to manipulate /data/unencrypted
 allow vold unencrypted_data_file:{ file } create_file_perms;
 allow vold unencrypted_data_file:dir create_dir_perms;

 # Write to /proc/sys/vm/drop_caches
 allow vold proc_drop_caches:file w_file_perms;

 # Give vold a place where only vold can store files; everyone else is off limits
 allow vold vold_data_file:dir create_dir_perms;
 allow vold vold_data_file:file create_file_perms;

 # And a similar place in the metadata partition
 allow vold vold_metadata_file:dir create_dir_perms;
 allow vold vold_metadata_file:file create_file_perms;

 # linux keyring configuration
 allow vold init:key { write search setattr };
 allow vold vold:key { write search setattr };

 # vold temporarily changes its priority when running benchmarks
 allow vold self:global_capability_class_set sys_nice;

 # vold needs to chroot into app namespaces to remount when runtime permissions change
 allow vold self:global_capability_class_set sys_chroot;
 allow vold storage_file:dir mounton;

 # For AppFuse.
 allow vold fuse_device:chr_file rw_file_perms;
 allow vold fuse:filesystem { relabelfrom };
 allow vold app_fusefs:filesystem { relabelfrom relabelto };
 allow vold app_fusefs:filesystem { mount unmount };
 allow vold app_fuse_file:dir rw_dir_perms;
 allow vold app_fuse_file:file { read write open getattr append };

 # MoveStorage.cpp executes cp and rm
 allow vold toolbox_exec:file rx_file_perms;

 # Prepare profile dir for users.
 allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;

 # Raw writes to misc block device
 allow vold misc_block_device:blk_file w_file_perms;

 # vold might need to search or mount /mnt/vendor/*
 allow vold mnt_vendor_file:dir search;

 dontaudit vold self:global_capability_class_set sys_resource;

 # Allow ReadDefaultFstab().
 read_fstab(vold)

 # vold might need to search loopback apex files
 allow vold vendor_apex_file:file r_file_perms;

 ###
 ### Neverallow rules
 ###

 neverallow {
     domain
     -system_server
     -vdc
     -vold
     -update_verifier
     -apexd
     -gsid
 } vold_service:service_manager find;

 # Only vold should create (and delete) per-user directories like
 # /data/user/$userId.  This is very important, as these directories need to be
 # encrypted with per-user keys, which only vold can do.  Encryption can only be
 # set up on empty directories, so creation and encryption must happen together.
 neverallow {
     domain
     -vold
 } {
     media_userdir_file
     system_userdir_file
     vendor_userdir_file
 }:dir {
     add_name
     remove_name
     write
 };

 # Only vold and init should ever set file-based encryption policies.
 neverallowxperm {
   domain
   -vold
   -init
   -vendor_init
 } data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };

 # Only vold should ever add/remove file-based encryption keys.
 neverallowxperm {
   domain
   -vold
 } data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };

 neverallow {
     domain
     -vold
     -vold_prepare_subdirs
 } vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };

 neverallow {
     domain
     -init
     -vold
     -vold_prepare_subdirs
 } vold_data_file:dir *;

 neverallow {
     domain
     -init
     -vold
 } vold_metadata_file:dir *;

 neverallow {
     domain
     -kernel
     -vold
     -vold_prepare_subdirs
 } vold_data_file:notdevfile_class_set ~{ relabelto getattr };

 neverallow {
     domain
     -init
     -vold
     -vold_prepare_subdirs
 } vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };

 neverallow {
     domain
     -init
     -kernel
     -vold
     -vold_prepare_subdirs
 } { vold_data_file vold_metadata_file }:notdevfile_class_set *;

 neverallow { domain -vold -init } restorecon_prop:property_service set;

 neverallow vold {
   domain
   -hal_health_storage_server
   -hal_keymaster_server
   -system_suspend_server
   -hal_bootctl_server
   -hwservicemanager
   -keystore
   -servicemanager
   -system_server
   userdebug_or_eng(`-su')
 }:binder call;

 neverallow vold fsck_exec:file execute_no_trans;
 neverallow { domain -init } vold:process { transition dyntransition };
 neverallow vold *:process ptrace;
 neverallow vold *:rawip_socket *;
	typeattribute vold coredomain;

	init_daemon_domain(vold)

	# Switch to more restrictive domains when executing common tools
	domain_auto_trans(vold, sgdisk_exec, sgdisk);
	domain_auto_trans(vold, sdcardd_exec, sdcardd);
	domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted);

	# Switch to e2fs domain when running mkfs.ext4 to format a partition
	domain_auto_trans(vold, e2fs_exec, e2fs);


	# For a handful of probing tools, we choose an even more restrictive
	# domain when working with untrusted block devices
	domain_trans(vold, blkid_exec, blkid);
	domain_trans(vold, blkid_exec, blkid_untrusted);
	domain_trans(vold, fsck_exec, fsck);
	domain_trans(vold, fsck_exec, fsck_untrusted);

	# Newly created storage dirs are always treated as mount stubs to prevent us
	# from accidentally writing when the mount point isn't present.
	type_transition vold storage_file:dir storage_stub_file;
	type_transition vold mnt_media_rw_file:dir mnt_media_rw_stub_file;

	# Property Service
	get_prop(vold, vold_config_prop)
	get_prop(vold, storage_config_prop);
	get_prop(vold, incremental_prop);
	get_prop(vold, gsid_prop);

	set_prop(vold, vold_prop)
	set_prop(vold, vold_status_prop)
	set_prop(vold, powerctl_prop)
	set_prop(vold, ctl_fuse_prop)
	set_prop(vold, restorecon_prop)
	set_prop(vold, ota_prop)
	set_prop(vold, boottime_prop)
	set_prop(vold, boottime_public_prop)

	# Vold will use Keystore instead of using Keymint directly. But it still needs
	# to manage its Keymint blobs. This is why it needs the `manage_blob` permission.
	allow vold vold_key:keystore2_key {
	convert_storage_key_to_ephemeral
	delete
	get_info
	manage_blob
	rebind
	req_forced_op
	update
	use
	};

	# vold needs to call keystore methods
	allow vold keystore:binder call;

	# vold needs to find keystore2 services
	allow vold keystore_service:service_manager find;
	allow vold keystore_maintenance_service:service_manager find;

	# vold needs to be able to call earlyBootEnded() and deleteAllKeys()
	allow vold keystore:keystore2 early_boot_ended;
	allow vold keystore:keystore2 delete_all_keys;

	is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
	# Allow vold to encrypt storage area directories on behalf of apps.
	allow vold {
	storage_area_dir
	storage_area_app_dir
	}:dir {
	getattr
	ioctl # for FS_IOC_SET_ENCRYPTION_POLICY
	open
	read # for open(O_RDONLY) for ioctl
	search
	};
	')

	# when a storage area is created (with `openStorageArea`), vold creates the key
	# and when a storage area is deleted (with `deleteStorageArea`), vold deletes the key
	is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `
	allow vold storage_area_key_file:file create_file_perms;
	allow vold storage_area_key_file:dir create_dir_perms;
	')

	# Allow vold to create and delete per-user directories like /data/user/$userId.
	allow vold {
	media_userdir_file
	system_userdir_file
	vendor_userdir_file
	}:dir {
	add_name
	remove_name
	write
	};

	# Read already opened /cache files.
	allow vold cache_file:dir r_dir_perms;
	allow vold cache_file:file { getattr read };
	allow vold cache_file:lnk_file r_file_perms;

	r_dir_file(vold, { sysfs_type -sysfs_batteryinfo })
	# XXX Label sysfs files with a specific type?
	allow vold {
	sysfs # writing to /sys/*/uevent during coldboot.
	sysfs_devices_block
	sysfs_dm
	sysfs_loop # writing to /sys/block/loop*/uevent during coldboot.
	sysfs_usb
	sysfs_zram_uevent
	sysfs_fs_f2fs
	}:file w_file_perms;

	r_dir_file(vold, rootfs)
	r_dir_file(vold, metadata_file)
	allow vold {
	proc # b/67049235 processes /proc/<pid>/* files are mislabeled.
	proc_bootconfig
	proc_cmdline
	proc_drop_caches
	proc_filesystems
	proc_meminfo
	proc_mounts
	}:file r_file_perms;

	#Get file contexts
	allow vold file_contexts_file:file r_file_perms;

	# Allow us to jump into execution domains of above tools
	allow vold self:process setexec;

	# For formatting adoptable storage devices
	allow vold e2fs_exec:file rx_file_perms;

	# Run fstrim on mounted partitions
	# allowxperm still requires the ioctl permission for the individual type
	allowxperm vold { fs_type file_type }:dir ioctl FITRIM;

	# Get/set file-based encryption policies on dirs in /data and adoptable storage,
	# and add/remove file-based encryption keys.
	allowxperm vold data_file_type:dir ioctl {
	FS_IOC_GET_ENCRYPTION_POLICY
	FS_IOC_GET_ENCRYPTION_POLICY_EX
	FS_IOC_SET_ENCRYPTION_POLICY
	FS_IOC_ADD_ENCRYPTION_KEY
	FS_IOC_REMOVE_ENCRYPTION_KEY
	FS_IOC_GET_ENCRYPTION_KEY_STATUS
	};

	# Allow securely erasing crypto key files. F2FS_IOC_SEC_TRIM_FILE is
	# tried first. Otherwise, FS_IOC_FIEMAP is needed to get the
	# location of the file's blocks on the raw block device to erase.
	allowxperm vold {
	vold_data_file
	vold_metadata_file
	is_flag_enabled(RELEASE_UNLOCKED_STORAGE_API, `storage_area_key_file')
	}:file ioctl {
	F2FS_IOC_SEC_TRIM_FILE
	FS_IOC_FIEMAP
	};

	typeattribute vold mlstrustedsubject;
	allow vold self:process setfscreate;
	allow vold system_file:file x_file_perms;
	not_full_treble(`allow vold vendor_file:file x_file_perms;')
	allow vold block_device:dir create_dir_perms;
	allow vold device:dir write;
	allow vold devpts:chr_file rw_file_perms;
	allow vold rootfs:dir mounton;
	allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
	allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M

	# Manage locations where storage is mounted
	allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
	allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;

	# Access to storage that backs emulated FUSE daemons for migration optimization
	allow vold media_rw_data_file:dir create_dir_perms;
	allow vold media_rw_data_file:file create_file_perms;
	# Allow mounting (lower filesystem) on parts of media for performance
	allow vold media_rw_data_file:dir mounton;

	# Allow setting project quota IDs and enabling project ID inheritance on
	# /data/media/$userId/* and /mnt/expand/$volume/media/$userId/*
	allowxperm vold media_rw_data_file:{ dir file } ioctl {
	FS_IOC_FSGETXATTR
	FS_IOC_FSSETXATTR
	FS_IOC_GETFLAGS
	FS_IOC_SETFLAGS
	};

	# Allow mounting of storage devices
	allow vold { mnt_media_rw_stub_file storage_stub_file }:dir { mounton create rmdir getattr setattr };

	# Manage per-user primary symlinks
	allow vold mnt_user_file:dir { create_dir_perms mounton };
	allow vold mnt_user_file:lnk_file create_file_perms;
	allow vold mnt_user_file:file create_file_perms;

	# Manage per-user pass_through primary symlinks
	allow vold mnt_pass_through_file:dir { create_dir_perms mounton };
	allow vold mnt_pass_through_file:lnk_file create_file_perms;

	# Allow to create and mount expanded storage
	allow vold mnt_expand_file:dir { create_dir_perms mounton };
	allow vold apk_data_file:dir { create getattr setattr };
	allow vold shell_data_file:dir { create getattr setattr };
	allow vold system_userdir_file:dir { create getattr setattr };
	allow vold media_userdir_file:dir { create getattr setattr open read ioctl };
	# Needed to set the casefold flag on /mnt/expand/$volume/media
	allowxperm vold media_userdir_file:dir ioctl { FS_IOC_GETFLAGS FS_IOC_SETFLAGS };

	# Allow to mount incremental file system on /data/incremental and create files
	allow vold apk_data_file:dir { mounton rw_dir_perms };
	# Allow to create and write files in /data/incremental
	allow vold apk_data_file:file { rw_file_perms unlink };
	# Allow to bind-mount incremental file system on /data/app/vmdl*.tmp and read files
	allow vold apk_tmp_file:dir { mounton r_dir_perms };
	# Allow to read incremental control file and call selinux restorecon on it
	allow vold incremental_control_file:file { r_file_perms relabelto };

	allow vold tmpfs:filesystem { mount unmount };
	allow vold tmpfs:dir create_dir_perms;
	allow vold tmpfs:dir mounton;
	allow vold self:global_capability_class_set { net_admin dac_override dac_read_search mknod sys_admin chown fowner fsetid };
	allow vold self:netlink_kobject_uevent_socket create_socket_perms_no_ioctl;
	allow vold loop_control_device:chr_file rw_file_perms;
	allow vold loop_device:blk_file { create setattr unlink rw_file_perms };
	allowxperm vold loop_device:blk_file ioctl {
	LOOP_CLR_FD
	LOOP_CTL_GET_FREE
	LOOP_GET_STATUS64
	LOOP_SET_FD
	LOOP_SET_STATUS64
	};
	allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
	allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
	allow vold dm_device:chr_file rw_file_perms;
	allow vold dm_device:blk_file rw_file_perms;
	allowxperm vold dm_device:blk_file ioctl { BLKDISCARD BLKSECDISCARD BLKREPORTZONE BLKRESETZONE };
	# For vold Process::killProcessesWithOpenFiles function.
	allow vold domain:dir r_dir_perms;
	allow vold domain:{ file lnk_file } r_file_perms;
	allow vold domain:process { signal sigkill };
	allow vold self:global_capability_class_set { sys_ptrace kill };

	allow vold kmsg_device:chr_file rw_file_perms;

	# Run fsck in the fsck domain.
	allow vold fsck_exec:file { r_file_perms execute };

	# Log fsck results
	allow vold fscklogs:dir rw_dir_perms;
	allow vold fscklogs:file create_file_perms;

	# Mount and unmount filesystems.
	allow vold labeledfs:filesystem { mount unmount remount };

	# Create and mount on /data/tmp_mnt and management of expansion mounts
	#
	# Also rename per-user encrypted directories such as /data/user/10 from their
	# temporary name ("10.new") to their final name ("10").
	allow vold {
	system_data_file
	system_data_root_file
	}:dir { create_dir_perms mounton };
	allow vold system_data_file:lnk_file getattr;

	# Vold create users in /data/vendor_{ce,de}/[0-9]+
	allow vold vendor_data_file:dir create_dir_perms;

	# for secdiscard
	allow vold system_data_file:file read;

	# Set scheduling policy of kernel processes
	allow vold kernel:process setsched;

	# ASEC
	allow vold asec_image_file:file create_file_perms;
	allow vold asec_image_file:dir rw_dir_perms;
	allow vold asec_apk_file:dir { create_dir_perms mounton relabelfrom relabelto };
	allow vold asec_public_file:dir { relabelto setattr };
	allow vold asec_apk_file:file { r_file_perms setattr relabelfrom relabelto };
	allow vold asec_public_file:file { relabelto setattr };
	# restorecon files in asec containers created on 4.2 or earlier.
	allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
	allow vold unlabeled:file { r_file_perms setattr relabelfrom };

	# Access to FUSE control filesystem to hard-abort FUSE mounts
	allow vold fusectlfs:file rw_file_perms;
	allow vold fusectlfs:dir rw_dir_perms;

	# Allow vold to use wake locks. Needed for idle maintenance and moving storage.
	wakelock_use(vold)

	# Allow vold to publish a binder service and make binder calls.
	binder_use(vold)
	add_service(vold, vold_service)

	# Allow vold to call into the system server so it can check permissions.
	binder_call(vold, system_server)
	allow vold permission_service:service_manager find;

	# talk to health storage HAL
	hal_client_domain(vold, hal_health_storage)

	# talk to bootloader HAL
	full_treble_only(`hal_client_domain(vold, hal_bootctl)')

	# Access userdata block device.
	allow vold userdata_block_device:blk_file rw_file_perms;
	allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;

	# Access zoned block device.
	allow vold zoned_block_device:blk_file rw_file_perms;

	# Access metadata block device used for encryption meta-data.
	allow vold metadata_block_device:blk_file rw_file_perms;
	allowxperm vold metadata_block_device:blk_file ioctl BLKSECDISCARD;

	# Allow vold to manipulate /data/unencrypted
	allow vold unencrypted_data_file:{ file } create_file_perms;
	allow vold unencrypted_data_file:dir create_dir_perms;

	# Write to /proc/sys/vm/drop_caches
	allow vold proc_drop_caches:file w_file_perms;

	# Give vold a place where only vold can store files; everyone else is off limits
	allow vold vold_data_file:dir create_dir_perms;
	allow vold vold_data_file:file create_file_perms;

	# And a similar place in the metadata partition
	allow vold vold_metadata_file:dir create_dir_perms;
	allow vold vold_metadata_file:file create_file_perms;

	# linux keyring configuration
	allow vold init:key { write search setattr };
	allow vold vold:key { write search setattr };

	# vold temporarily changes its priority when running benchmarks
	allow vold self:global_capability_class_set sys_nice;

	# vold needs to chroot into app namespaces to remount when runtime permissions change
	allow vold self:global_capability_class_set sys_chroot;
	allow vold storage_file:dir mounton;

	# For AppFuse.
	allow vold fuse_device:chr_file rw_file_perms;
	allow vold fuse:filesystem { relabelfrom };
	allow vold app_fusefs:filesystem { relabelfrom relabelto };
	allow vold app_fusefs:filesystem { mount unmount };
	allow vold app_fuse_file:dir rw_dir_perms;
	allow vold app_fuse_file:file { read write open getattr append };

	# MoveStorage.cpp executes cp and rm
	allow vold toolbox_exec:file rx_file_perms;

	# Prepare profile dir for users.
	allow vold { user_profile_data_file user_profile_root_file }:dir create_dir_perms;

	# Raw writes to misc block device
	allow vold misc_block_device:blk_file w_file_perms;

	# vold might need to search or mount /mnt/vendor/*
	allow vold mnt_vendor_file:dir search;

	dontaudit vold self:global_capability_class_set sys_resource;

	# Allow ReadDefaultFstab().
	read_fstab(vold)

	# vold might need to search loopback apex files
	allow vold vendor_apex_file:file r_file_perms;

	###
	### Neverallow rules
	###

	neverallow {
	domain
	-system_server
	-vdc
	-vold
	-update_verifier
	-apexd
	-gsid
	} vold_service:service_manager find;

	# Only vold should create (and delete) per-user directories like
	# /data/user/$userId. This is very important, as these directories need to be
	# encrypted with per-user keys, which only vold can do. Encryption can only be
	# set up on empty directories, so creation and encryption must happen together.
	neverallow {
	domain
	-vold
	} {
	media_userdir_file
	system_userdir_file
	vendor_userdir_file
	}:dir {
	add_name
	remove_name
	write
	};

	# Only vold and init should ever set file-based encryption policies.
	neverallowxperm {
	domain
	-vold
	-init
	-vendor_init
	} data_file_type:dir ioctl { FS_IOC_SET_ENCRYPTION_POLICY };

	# Only vold should ever add/remove file-based encryption keys.
	neverallowxperm {
	domain
	-vold
	} data_file_type:dir ioctl { FS_IOC_ADD_ENCRYPTION_KEY FS_IOC_REMOVE_ENCRYPTION_KEY FS_IOC_GET_ENCRYPTION_KEY_STATUS };

	neverallow {
	domain
	-vold
	-vold_prepare_subdirs
	} vold_data_file:dir ~{ open create read getattr setattr search relabelfrom relabelto ioctl };

	neverallow {
	domain
	-init
	-vold
	-vold_prepare_subdirs
	} vold_data_file:dir *;

	neverallow {
	domain
	-init
	-vold
	} vold_metadata_file:dir *;

	neverallow {
	domain
	-kernel
	-vold
	-vold_prepare_subdirs
	} vold_data_file:notdevfile_class_set ~{ relabelto getattr };

	neverallow {
	domain
	-init
	-vold
	-vold_prepare_subdirs
	} vold_metadata_file:notdevfile_class_set ~{ relabelto getattr };

	neverallow {
	domain
	-init
	-kernel
	-vold
	-vold_prepare_subdirs
	} { vold_data_file vold_metadata_file }:notdevfile_class_set *;

	neverallow { domain -vold -init } restorecon_prop:property_service set;

	neverallow vold {
	domain
	-hal_health_storage_server
	-hal_keymaster_server
	-system_suspend_server
	-hal_bootctl_server
	-hwservicemanager
	-keystore
	-servicemanager
	-system_server
	userdebug_or_eng(`-su')
	}:binder call;

	neverallow vold fsck_exec:file execute_no_trans;
	neverallow { domain -init } vold:process { transition dyntransition };
	neverallow vold *:process ptrace;
	neverallow vold :rawip_socket ;