blob: 8c1aaf361e0c94b0d499ce01c4fab3a799211395 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
# Any fsck program run by init
type fsck, domain;
type fsck_exec, exec_type, file_type;
init_daemon_domain(fsck)
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow fsck tmpfs:chr_file { read write ioctl };
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck devpts:chr_file { read write ioctl getattr };
# Allow stdin/out back to vold
allow fsck vold:fd use;
allow fsck vold:fifo_file { read write getattr };
# Run fsck on certain block devices
allow fsck block_device:dir search;
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
###
### neverallow rules
###
# fsck should never be run on these block devices
neverallow fsck {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
vold_device
}:blk_file no_rw_file_perms;
# Only allow entry from init or vold via fsck binaries
neverallow { domain -init -vold } fsck:process transition;
neverallow domain fsck:process dyntransition;
neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
|
