diff options
Diffstat (limited to 'blkid.te')
| -rw-r--r-- | blkid.te | 20 |
1 files changed, 20 insertions, 0 deletions
diff --git a/blkid.te b/blkid.te new file mode 100644 index 0000000..15b6a85 --- /dev/null +++ b/blkid.te @@ -0,0 +1,20 @@ +# blkid called from vold +type blkid, domain; +type blkid_exec, exec_type, file_type; + +# Allowed read-only access to encrypted devices to extract UUID/label +allow blkid block_device:dir search; +allow blkid userdata_block_device:blk_file r_file_perms; +allow blkid dm_device:blk_file r_file_perms; + +# Allow stdin/out back to vold +allow blkid vold:fd use; +allow blkid vold:fifo_file { read write getattr }; + +# For blkid launched through popen() +allow blkid blkid_exec:file rx_file_perms; + +# Only allow entry from vold +neverallow { domain -vold } blkid:process transition; +neverallow domain blkid:process dyntransition; +neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; |