From fcfc13ac6f2893ac055a58459aeb704b2500607c Mon Sep 17 00:00:00 2001
From: Keith Mok <kmok@cyngn.com>
Date: Tue, 15 Dec 2015 13:24:34 -0800
Subject: sepolicy: Add domain for mkfs binaries

The init binary must transition to another domain when calling out to
executables. Create the mkfs domain for mkfs.f2fs such that init can
transition to it when formatting userdata/cache partitions if the
"formattable" flag is set.

Change-Id: I1046782386d171a59b1a3c5441ed265dc0824977
---
 sepolicy/mkfs.te | 9 +++++++++
 1 file changed, 9 insertions(+)
 create mode 100644 sepolicy/mkfs.te

(limited to 'sepolicy/mkfs.te')

diff --git a/sepolicy/mkfs.te b/sepolicy/mkfs.te
new file mode 100644
index 00000000..fe7c61bb
--- /dev/null
+++ b/sepolicy/mkfs.te
@@ -0,0 +1,9 @@
+type mkfs, domain;
+type mkfs_exec, exec_type, file_type;
+
+init_daemon_domain(mkfs)
+
+# Allow formatting userdata or cache partitions
+allow mkfs block_device:dir search;
+allow mkfs userdata_block_device:blk_file rw_file_perms;
+allow mkfs cache_block_device:blk_file rw_file_perms;
-- 
cgit v1.2.3