diff options
Diffstat (limited to 'sgdisk.te')
| -rw-r--r-- | sgdisk.te | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/sgdisk.te b/sgdisk.te new file mode 100644 index 0000000..8a689a1 --- /dev/null +++ b/sgdisk.te @@ -0,0 +1,22 @@ +# sgdisk called from vold +type sgdisk, domain; +type sgdisk_exec, exec_type, file_type; + +# Allowed to read/write low-level partition tables +allow sgdisk block_device:dir search; +allow sgdisk vold_device:blk_file rw_file_perms; + +# Inherit and use pty created by android_fork_execvp() +allow sgdisk devpts:chr_file { read write ioctl getattr }; + +# Allow stdin/out back to vold +allow sgdisk vold:fd use; +allow sgdisk vold:fifo_file { read write getattr }; + +# Used to probe kernel to reload partition tables +allow sgdisk self:capability sys_admin; + +# Only allow entry from vold +neverallow { domain -vold } sgdisk:process transition; +neverallow domain sgdisk:process dyntransition; +neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; |