common/private/vold.te - LeafOS-Project/android_device_lineage_sepolicy - Gitiles

 domain_trans(init, rootfs, vold)

 # NTFS-3g wants to drop permission
 allow vold self:capability { setgid setuid };

 # External storage
 allow vold mkfs_exec:file rx_file_perms;
 allow vold mnt_media_rw_stub_file:dir r_dir_perms;
 allow vold storage_stub_file:dir rw_dir_perms;

 # Vold can also run as minivold in the rootfs
 recovery_only(`
   allow vold rootfs:dir { add_name write };
   allow vold rootfs:file execute_no_trans;
 ')
	domain_trans(init, rootfs, vold)

	# NTFS-3g wants to drop permission
	allow vold self:capability { setgid setuid };

	# External storage
	allow vold mkfs_exec:file rx_file_perms;
	allow vold mnt_media_rw_stub_file:dir r_dir_perms;
	allow vold storage_stub_file:dir rw_dir_perms;

	# Vold can also run as minivold in the rootfs
	recovery_only(`
	allow vold rootfs:dir { add_name write };
	allow vold rootfs:file execute_no_trans;
	')