5e37271df8
system_file_type is a new attribute used to identify files which exist on the /system partition. It's useful for allow rules in init, which are based off of a blacklist of writable files. Additionally, it's useful for constructing neverallow rules to prevent regressions. Additionally, add commented out tests which enforce that all files on the /system partition have the system_file_type attribute. These tests will be uncommented in a future change after all the device-specific policies are cleaned up. Test: Device boots and no obvious problems. Change-Id: Id9bae6625f042594c8eba74ca712abb09702c1e5
22 lines
721 B
Text
22 lines
721 B
Text
# blkid called from vold
|
|
|
|
typeattribute blkid coredomain;
|
|
|
|
type blkid_exec, system_file_type, exec_type, file_type;
|
|
|
|
# Allowed read-only access to encrypted devices to extract UUID/label
|
|
allow blkid block_device:dir search;
|
|
allow blkid userdata_block_device:blk_file r_file_perms;
|
|
allow blkid dm_device:blk_file r_file_perms;
|
|
|
|
# Allow stdin/out back to vold
|
|
allow blkid vold:fd use;
|
|
allow blkid vold:fifo_file { read write getattr };
|
|
|
|
# For blkid launched through popen()
|
|
allow blkid blkid_exec:file rx_file_perms;
|
|
|
|
# Only allow entry from vold
|
|
neverallow { domain -vold } blkid:process transition;
|
|
neverallow * blkid:process dyntransition;
|
|
neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;
|