1 files changed, 60 insertions, 0 deletions

diff --git a/prebuilts/api/32.0/private/vold_prepare_subdirs.te b/prebuilts/api/32.0/private/vold_prepare_subdirs.te
new file mode 100644
index 000000000..956e94e5f
--- /dev/null
+++ b/prebuilts/api/32.0/private/vold_prepare_subdirs.te
@@ -0,0 +1,60 @@
+domain_auto_trans(vold, vold_prepare_subdirs_exec, vold_prepare_subdirs)
+
+typeattribute vold_prepare_subdirs mlstrustedsubject;
+
+allow vold_prepare_subdirs system_file:file execute_no_trans;
+allow vold_prepare_subdirs shell_exec:file rx_file_perms;
+allow vold_prepare_subdirs toolbox_exec:file rx_file_perms;
+allow vold_prepare_subdirs devpts:chr_file rw_file_perms;
+allow vold_prepare_subdirs vold:fd use;
+allow vold_prepare_subdirs vold:fifo_file { read write };
+allow vold_prepare_subdirs file_contexts_file:file r_file_perms;
+allow vold_prepare_subdirs self:global_capability_class_set { chown dac_override dac_read_search fowner };
+allow vold_prepare_subdirs self:process setfscreate;
+allow vold_prepare_subdirs {
+  system_data_file
+  vendor_data_file
+}:dir { open read write add_name remove_name rmdir relabelfrom };
+allow vold_prepare_subdirs {
+    apex_appsearch_data_file
+    apex_art_data_file
+    apex_module_data_file
+    apex_permission_data_file
+    apex_rollback_data_file
+    apex_scheduling_data_file
+    apex_wifi_data_file
+    backup_data_file
+    face_vendor_data_file
+    fingerprint_vendor_data_file
+    iris_vendor_data_file
+    rollback_data_file
+    storaged_data_file
+    system_data_file
+    vold_data_file
+}:dir { create_dir_perms relabelto };
+allow vold_prepare_subdirs {
+    apex_appsearch_data_file
+    apex_art_data_file
+    apex_art_staging_data_file
+    apex_module_data_file
+    apex_permission_data_file
+    apex_rollback_data_file
+    apex_scheduling_data_file
+    apex_wifi_data_file
+    backup_data_file
+    face_vendor_data_file
+    fingerprint_vendor_data_file
+    iris_vendor_data_file
+    rollback_data_file
+    storaged_data_file
+    system_data_file
+    vold_data_file
+}:file { getattr unlink };
+allow vold_prepare_subdirs apex_mnt_dir:dir { open read };
+allow vold_prepare_subdirs mnt_expand_file:dir search;
+allow vold_prepare_subdirs user_profile_data_file:dir { search getattr relabelfrom };
+allow vold_prepare_subdirs user_profile_root_file:dir { search getattr relabelfrom relabelto };
+# /data/misc is unlabeled during early boot.
+allow vold_prepare_subdirs unlabeled:dir search;
+
+dontaudit vold_prepare_subdirs { proc unlabeled }:file r_file_perms;