| 12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849 |
- # Any fsck program run on untrusted block devices
- type fsck_untrusted, domain;
- # Inherit and use pty created by android_fork_execvp_ext().
- allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
- # Allow stdin/out back to vold
- allow fsck_untrusted vold:fd use;
- allow fsck_untrusted vold:fifo_file { read write getattr };
- # Run fsck on vold block devices
- allow fsck_untrusted block_device:dir search;
- allow fsck_untrusted vold_device:blk_file rw_file_perms;
- allow fsck_untrusted proc_mounts:file r_file_perms;
- # To determine if it is safe to run fsck on a filesystem, e2fsck
- # must first determine if the filesystem is mounted. To do that,
- # e2fsck scans through /proc/mounts and collects all the mounted
- # block devices. With that information, it runs stat() on each block
- # device, comparing the major and minor numbers to the filesystem
- # passed in on the command line. If there is a match, then the filesystem
- # is currently mounted and running fsck is dangerous.
- # Allow stat access to all block devices so that fsck can compare
- # major/minor values.
- allow fsck_untrusted dev_type:blk_file getattr;
- ###
- ### neverallow rules
- ###
- # Untrusted fsck should never be run on block devices holding sensitive data
- neverallow fsck_untrusted {
- boot_block_device
- frp_block_device
- metadata_block_device
- recovery_block_device
- root_block_device
- swap_block_device
- system_block_device
- userdata_block_device
- cache_block_device
- dm_device
- }:blk_file no_rw_file_perms;
- # Only allow entry from vold via fsck binaries
- neverallow { domain -vold } fsck_untrusted:process transition;
- neverallow * fsck_untrusted:process dyntransition;
- neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
|
