Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / sepolicy / refs/tags/fp2-sibon-18.01.1 / . / sdcardd.te
blob: a6648200e7c7650d34ce2aca05a5418c0f8bca9f [file] [log] [blame]
William Roberts80ea1d22012-05-31 09:44:51 -0400[diff] [blame]1type sdcardd, domain;
2type sdcardd_exec, exec_type, file_type;
3
Stephen Smalley15abc952013-10-29 14:42:39 -0400[diff] [blame]4allow sdcardd cgroup:dir create_dir_perms;
5allow sdcardd fuse_device:chr_file rw_file_perms;
Jeff Sharkeyf063f462015-03-27 11:25:39 -0700[diff] [blame]6allow sdcardd rootfs:dir mounton; # TODO: deprecated in M
7allow sdcardd mnt_media_rw_file:dir r_dir_perms;
8allow sdcardd storage_file:dir search;
9allow sdcardd storage_stub_file:dir { search mounton };
Nick Kralevich5fc825c2014-09-04 11:04:23 -0700[diff] [blame]10allow sdcardd sdcard_type:filesystem { mount unmount };
Stephen Smalley15abc952013-10-29 14:42:39 -0400[diff] [blame]11allow sdcardd self:capability { setuid setgid dac_override sys_admin sys_resource };
Stephen Smalleye13fabd2013-12-17 14:39:35 -0500[diff] [blame]12
Stephen Smalley7b52ebf2014-02-18 09:19:28 -0500[diff] [blame]13allow sdcardd sdcard_type:dir create_dir_perms;
14allow sdcardd sdcard_type:file create_file_perms;
15
Stephen Smalleye13fabd2013-12-17 14:39:35 -0500[diff] [blame]16type_transition sdcardd system_data_file:{ dir file } media_rw_data_file;
17allow sdcardd media_rw_data_file:dir create_dir_perms;
18allow sdcardd media_rw_data_file:file create_file_perms;
Stephen Smalley15abc952013-10-29 14:42:39 -0400[diff] [blame]19
20# Read /data/system/packages.list.
21allow sdcardd system_data_file:file r_file_perms;
Nick Kralevich1a61fb32014-07-24 17:07:27 -0700[diff] [blame]22
23# Read /data/.layout_version
24allow sdcardd install_data_file:file r_file_perms;
Jeff Sharkeyf063f462015-03-27 11:25:39 -0700[diff] [blame]25
26# Allow stdin/out back to vold
27allow sdcardd vold:fd use;
28allow sdcardd vold:fifo_file { read write getattr };
Jeff Sharkey3acec6f2015-04-11 22:10:20 -0700[diff] [blame]29
30# Allow running on top of expanded storage
31allow sdcardd mnt_expand_file:dir search;
Nick Kralevich50897fe2015-06-11 20:47:59 -0700[diff] [blame]32
33###
34### neverallow rules
35###
36
37# The sdcard daemon should no longer be started from init
38neverallow init sdcardd_exec:file execute;
39neverallow init sdcardd:process { transition dyntransition };