platform_system_sepolicy/public/fsck.te

69 lines
2.1 KiB
Text
Raw Normal View History

# Any fsck program run by init
type fsck, domain;
type fsck_exec, system_file_type, exec_type, file_type;
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 15:11:30 +02:00
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow fsck tmpfs:chr_file { read write ioctl };
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck devpts:chr_file { read write ioctl getattr };
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 15:11:30 +02:00
# Allow stdin/out back to vold
allow fsck vold:fd use;
allow fsck vold:fifo_file { read write getattr };
Updated policy for external storage. An upcoming platform release is redesigning how external storage works. At a high level, vold is taking on a more active role in managing devices that dynamically appear. This change also creates further restricted domains for tools doing low-level access of external storage devices, including sgdisk and blkid. It also extends sdcardd to be launchable by vold, since launching by init will eventually go away. For compatibility, rules required to keep AOSP builds working are marked with "TODO" to eventually remove. Slightly relax system_server external storage rules to allow calls like statfs(). Still neverallow open file descriptors, since they can cause kernel to kill us. Here are the relevant violations that this CL is designed to allow: avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
# Run fsck on certain block devices
allow fsck block_device:dir search;
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 15:11:30 +02:00
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
userdebug_or_eng(`
allow fsck system_block_device:blk_file rw_file_perms;
')
Do not allow init to execute anything without changing domains. Remove the ability of init to execute programs from / or /system without changing domains. This forces all helper programs and services invoked by init to be assigned their own domain. Introduce separate domains for running the helper programs executed from the fs_mgr library by init. This requires a domain for e2fsck (named fsck for generality) and a domain for running mkswap (named toolbox since mkswap is just a symlink to the toolbox binary and the domain transition occurs on executing the binary, not based on the symlink in any way). e2fsck is invoked on any partitions marked with the check mount option in the fstab file, typically userdata and cache but never system. We allow it to read/write the userdata_block_device and cache_block_device types but also allow it to read/write the default block_device type until we can get the more specific types assigned in all of the device-specific policies. mkswap is invoked on any swap partition defined in the fstab file. We introduce a new swap_block_device type for this purpose, to be assigned to any such block devices in the device-specific policies, and only allow it to read/write such block devices. As there seem to be no devices in AOSP with swap partitions in their fstab files, this does not appear to risk any breakage for existing devices. With the introduction of these domains, we can de-privilege init to only having read access to block devices for mounting filesystems; it no longer needs direct write access to such devices AFAICT. To avoid breaking execution of toolbox by system services, apps, or the shell, we allow all domains other than kernel and init the ability to run toolbox in their own domain. This is broader than strictly required; we could alternatively only add it to those domains that already had x_file_perms to system_file but this would require a coordinated change with device-specific policy. Change-Id: Ib05de2d2bc2781dad48b70ba385577cb855708e4 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-09-23 15:11:30 +02:00
# For the block devices where we have ioctl access,
# allow at a minimum the following common fsck ioctls.
allowxperm fsck dev_type:blk_file ioctl {
BLKDISCARDZEROES
BLKROGET
};
# To determine if it is safe to run fsck on a filesystem, e2fsck
# must first determine if the filesystem is mounted. To do that,
# e2fsck scans through /proc/mounts and collects all the mounted
# block devices. With that information, it runs stat() on each block
# device, comparing the major and minor numbers to the filesystem
# passed in on the command line. If there is a match, then the filesystem
# is currently mounted and running fsck is dangerous.
# Allow stat access to all block devices so that fsck can compare
# major/minor values.
allow fsck dev_type:blk_file getattr;
allow fsck {
proc_mounts
proc_swaps
}:file r_file_perms;
allow fsck rootfs:dir r_dir_perms;
###
### neverallow rules
###
# fsck should never be run on these block devices
neverallow fsck {
boot_block_device
frp_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdebug_or_eng(`-system_block_device')
vold_device
}:blk_file no_rw_file_perms;
# Only allow entry from init or vold via fsck binaries
neverallow { domain -init -vold } fsck:process transition;
neverallow * fsck:process dyntransition;
Updated policy for external storage. An upcoming platform release is redesigning how external storage works. At a high level, vold is taking on a more active role in managing devices that dynamically appear. This change also creates further restricted domains for tools doing low-level access of external storage devices, including sgdisk and blkid. It also extends sdcardd to be launchable by vold, since launching by init will eventually go away. For compatibility, rules required to keep AOSP builds working are marked with "TODO" to eventually remove. Slightly relax system_server external storage rules to allow calls like statfs(). Still neverallow open file descriptors, since they can cause kernel to kill us. Here are the relevant violations that this CL is designed to allow: avc: denied { search } for name="user" dev="tmpfs" ino=7441 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/mnt/user/0" dev="tmpfs" ino=6659 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { write } for name="user" dev="tmpfs" ino=6658 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { add_name } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { create } for name="10" scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { setattr } for name="10" dev="tmpfs" ino=11348 scontext=u:r:zygote:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:zygote:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=6659 scontext=u:r:untrusted_app:s0:c512,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self" dev="tmpfs" ino=11348 scontext=u:r:untrusted_app:s0:c522,c768 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { read } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { open } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="/" dev="tmpfs" ino=6661 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { write } for name="data" dev="tmpfs" ino=11979 scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { add_name } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { create } for name="com.google.android.music" scontext=u:r:vold:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { use } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { read write } for path="socket:[8297]" dev="sockfs" ino=8297 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=netlink_kobject_uevent_socket avc: denied { read } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { write } for path="pipe:[8298]" dev="pipefs" ino=8298 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { mounton } for path="/storage/emulated" dev="tmpfs" ino=8913 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage" dev="tmpfs" ino=7444 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { getattr } for path="/storage/self/primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { read } for name="primary" dev="tmpfs" ino=7447 scontext=u:r:system_server:s0 tcontext=u:object_r:storage_file:s0 tclass=lnk_file avc: denied { getattr } for path="/mnt/user" dev="tmpfs" ino=7441 scontext=u:r:system_server:s0 tcontext=u:object_r:mnt_user_file:s0 tclass=dir avc: denied { read } for name="disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { getattr } for path="/dev/block/vold/disk:179,128" dev="tmpfs" ino=3224 scontext=u:r:sgdisk:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="/" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { open } for path="/storage/public:81F3-13EC" dev="fuse" ino=0 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { write } for name="data" dev="fuse" ino=2 scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { add_name } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { create } for name="com.google.android.googlequicksearchbox" scontext=u:r:vold:s0 tcontext=u:object_r:fuse:s0 tclass=dir avc: denied { getattr } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { read } for name="public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { open } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { ioctl } for path="/dev/block/vold/public:179,129" dev="tmpfs" ino=16953 scontext=u:r:blkid:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[3264]" dev="pipefs" ino=3264 scontext=u:r:sgdisk:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="block" dev="tmpfs" ino=2494 scontext=u:r:sgdisk:s0 tcontext=u:object_r:block_device:s0 tclass=dir avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4200]" dev="pipefs" ino=4200 scontext=u:r:sdcardd:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { search } for name="/" dev="tmpfs" ino=3131 scontext=u:r:sdcardd:s0 tcontext=u:object_r:storage_file:s0 tclass=dir avc: denied { search } for name="media_rw" dev="tmpfs" ino=3127 scontext=u:r:sdcardd:s0 tcontext=u:object_r:mnt_media_rw_file:s0 tclass=dir avc: denied { getattr } for path="pipe:[3648]" dev="pipefs" ino=3648 scontext=u:r:blkid:s0 tcontext=u:r:vold:s0 tclass=fifo_file avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="/dev/pts/12" dev="devpts" ino=15 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd avc: denied { use } for path="pipe:[4182]" dev="pipefs" ino=4182 scontext=u:r:fsck:s0 tcontext=u:r:vold:s0 tclass=fd Change-Id: Idf3b8561baecf7faa603fac5ababdcc5708288e1
2015-03-27 19:25:39 +01:00
neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;