2017-03-23 22:27:32 +01:00
|
|
|
typeattribute toolbox coredomain;
|
|
|
|
|
2016-07-22 22:13:11 +02:00
|
|
|
init_daemon_domain(toolbox)
|
2022-04-27 18:26:57 +02:00
|
|
|
|
|
|
|
# rm -rf in /data/misc/virtualizationservice
|
|
|
|
allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
|
|
|
|
allow toolbox virtualizationservice_data_file:file { getattr unlink };
|
2022-06-15 18:25:20 +02:00
|
|
|
|
|
|
|
# If we can't remove these directories we try to chmod them. That
|
|
|
|
# doesn't work, but it doesn't matter as virtualizationservice itself
|
|
|
|
# will delete them when it starts. See b/235338094#comment39
|
|
|
|
dontaudit toolbox virtualizationservice_data_file:dir setattr;
|
2024-03-27 09:18:41 +01:00
|
|
|
|
|
|
|
# /dev/__null__ created by init prior to policy load,
|
|
|
|
# open fd inherited by fsck.
|
|
|
|
allow toolbox tmpfs:chr_file { read write ioctl };
|
|
|
|
|
|
|
|
# Inherit and use pty created by android_fork_execvp_ext().
|
|
|
|
allow toolbox devpts:chr_file { read write getattr ioctl };
|
|
|
|
|
|
|
|
# mkswap-specific.
|
|
|
|
# Read/write block devices used for swap partitions.
|
|
|
|
# Assign swap_block_device type any such partition in your
|
|
|
|
# device/<vendor>/<product>/sepolicy/file_contexts file.
|
|
|
|
allow toolbox block_device:dir search;
|
|
|
|
allow toolbox swap_block_device:blk_file rw_file_perms;
|
|
|
|
|
|
|
|
# rm -rf /data/per_boot
|
|
|
|
allow toolbox system_data_root_file:dir { remove_name write };
|
|
|
|
allow toolbox system_data_file:dir { rmdir rw_dir_perms };
|
|
|
|
allow toolbox system_data_file:file { getattr unlink };
|
|
|
|
|
|
|
|
# chattr +F /data/media in init
|
|
|
|
allow toolbox media_userdir_file:dir { r_dir_perms setattr };
|
|
|
|
allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };
|
|
|
|
|
|
|
|
###
|
|
|
|
### Neverallow rules
|
|
|
|
###
|
|
|
|
|
|
|
|
# Only allow entry from init via the toolbox binary.
|
|
|
|
neverallow { domain -init } toolbox:process transition;
|
|
|
|
neverallow * toolbox:process dyntransition;
|
|
|
|
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
|