84e1c61193
vold works with two broad classes of block devices: untrusted devices that come in from the wild, and trusted devices. When running blkid and fsck, we pick which SELinux execution domain to use based on which class the device belongs to. Bug: 19993667 Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5
36 lines
1.1 KiB
Text
36 lines
1.1 KiB
Text
# blkid for untrusted block devices
|
|
type blkid_untrusted, domain;
|
|
|
|
# Allowed read-only access to vold block devices to extract UUID/label
|
|
allow blkid_untrusted block_device:dir search;
|
|
allow blkid_untrusted vold_device:blk_file r_file_perms;
|
|
|
|
# Allow stdin/out back to vold
|
|
allow blkid_untrusted vold:fd use;
|
|
allow blkid_untrusted vold:fifo_file { read write getattr };
|
|
|
|
# For blkid launched through popen()
|
|
allow blkid_untrusted blkid_exec:file rx_file_perms;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# Untrusted blkid should never be run on block devices holding sensitive data
|
|
neverallow blkid_untrusted {
|
|
boot_block_device
|
|
frp_block_device
|
|
metadata_block_device
|
|
recovery_block_device
|
|
root_block_device
|
|
swap_block_device
|
|
system_block_device
|
|
userdata_block_device
|
|
cache_block_device
|
|
dm_device
|
|
}:blk_file no_rw_file_perms;
|
|
|
|
# Only allow entry from vold via blkid binary
|
|
neverallow { domain -vold } blkid_untrusted:process transition;
|
|
neverallow domain blkid_untrusted:process dyntransition;
|
|
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
|