首页 发现 帮助
注册 登录
drachfly
/
android10
1
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: 6b68537209
分支列表 标签列表
android10
/
system
/
sepolicy
/
public
/
fsck.te

fsck.te 2.1 KB
文件历史 原始文件

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768 
  1. # Any fsck program run by init
    2. 

  2. type fsck, domain;
    3. 

  3. type fsck_exec, system_file_type, exec_type, file_type;
    4. 

  4. 

  5. # /dev/__null__ created by init prior to policy load,
    6. 

  6. # open fd inherited by fsck.
    7. 

  7. allow fsck tmpfs:chr_file { read write ioctl };
    8. 

  8. 

  9. # Inherit and use pty created by android_fork_execvp_ext().
    10. 

  10. allow fsck devpts:chr_file { read write ioctl getattr };
    11. 

  11. 

  12. # Allow stdin/out back to vold
    13. 

  13. allow fsck vold:fd use;
    14. 

  14. allow fsck vold:fifo_file { read write getattr };
    15. 

  15. 

  16. # Run fsck on certain block devices
    17. 

  17. allow fsck block_device:dir search;
    18. 

  18. allow fsck userdata_block_device:blk_file rw_file_perms;
    19. 

  19. allow fsck cache_block_device:blk_file rw_file_perms;
    20. 

  20. allow fsck dm_device:blk_file rw_file_perms;
    21. 

  21. userdebug_or_eng(`
    22. 

  22. allow fsck system_block_device:blk_file rw_file_perms;
    23. 

  23. ')
    24. 

  24. 

  25. # For the block devices where we have ioctl access,
    26. 

  26. # allow at a minimum the following common fsck ioctls.
    27. 

  27. allowxperm fsck dev_type:blk_file ioctl {
    28. 

  28.   BLKDISCARDZEROES
    29. 

  29.   BLKROGET
    30. 

  30. };
    31. 

  31. 

  32. # To determine if it is safe to run fsck on a filesystem, e2fsck
    33. 

  33. # must first determine if the filesystem is mounted. To do that,
    34. 

  34. # e2fsck scans through /proc/mounts and collects all the mounted
    35. 

  35. # block devices. With that information, it runs stat() on each block
    36. 

  36. # device, comparing the major and minor numbers to the filesystem
    37. 

  37. # passed in on the command line. If there is a match, then the filesystem
    38. 

  38. # is currently mounted and running fsck is dangerous.
    39. 

  39. # Allow stat access to all block devices so that fsck can compare
    40. 

  40. # major/minor values.
    41. 

  41. allow fsck dev_type:blk_file getattr;
    42. 

  42. 

  43. allow fsck {
    44. 

  44.   proc_mounts
    45. 

  45.   proc_swaps
    46. 

  46. }:file r_file_perms;
    47. 

  47. allow fsck rootfs:dir r_dir_perms;
    48. 

  48. 

  49. ###
    50. 

  50. ### neverallow rules
    51. 

  51. ###
    52. 

  52. 

  53. # fsck should never be run on these block devices
    54. 

  54. neverallow fsck {
    55. 

  55.   boot_block_device
    56. 

  56.   frp_block_device
    57. 

  57.   recovery_block_device
    58. 

  58.   root_block_device
    59. 

  59.   swap_block_device
    60. 

  60.   system_block_device
    61. 

  61.   userdebug_or_eng(`-system_block_device')
    62. 

  62.   vold_device
    63. 

  63. }:blk_file no_rw_file_perms;
    64. 

  64. 

  65. # Only allow entry from init or vold via fsck binaries
    66. 

  66. neverallow { domain -init -vold } fsck:process transition;
    67. 

  67. neverallow * fsck:process dyntransition;
    68. 

  68. neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
    69.