platform_system_sepolicy/fsck.te
Stephen Smalley 3da1ffbad0 Remove block_device:blk_file access from fsck.
Now that we have assigned specific types to userdata and cache
block devices, we can remove the ability of fsck to run on other
block devices.

Change-Id: I8cfb3dc0e4ebe6b73346ff291ecb11397bb0c2d0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2014-10-21 01:56:37 +00:00

22 lines
772 B
Text

# e2fsck or any other fsck program run by init.
type fsck, domain;
type fsck_exec, exec_type, file_type;
permissive_or_unconfined(fsck)
init_daemon_domain(fsck)
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow fsck tmpfs:chr_file { read write ioctl };
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck devpts:chr_file { read write ioctl getattr };
# Run e2fsck on block devices.
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
# Only allow entry from init via the e2fsck binary.
neverallow { domain -init } fsck:process transition;
neverallow domain fsck:process dyntransition;
neverallow fsck { file_type fs_type -fsck_exec}:file entrypoint;