platform_system_sepolicy/private/toolbox.te

typeattribute toolbox coredomain;

init_daemon_domain(toolbox)

# rm -rf in /data/misc/virtualizationservice
allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
allow toolbox virtualizationservice_data_file:file { getattr unlink };

# If we can't remove these directories we try to chmod them. That
# doesn't work, but it doesn't matter as virtualizationservice itself
# will delete them when it starts. See b/235338094#comment39
dontaudit toolbox virtualizationservice_data_file:dir setattr;

# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow toolbox tmpfs:chr_file { read write ioctl };

# Inherit and use pty created by android_fork_execvp_ext().
allow toolbox devpts:chr_file { read write getattr ioctl };

# mkswap-specific.
# Read/write block devices used for swap partitions.
# Assign swap_block_device type any such partition in your
# device/<vendor>/<product>/sepolicy/file_contexts file.
allow toolbox block_device:dir search;
allow toolbox swap_block_device:blk_file rw_file_perms;

# rm -rf /data/per_boot
allow toolbox system_data_root_file:dir { remove_name write };
allow toolbox system_data_file:dir { rmdir rw_dir_perms };
allow toolbox system_data_file:file { getattr unlink };

# chattr +F /data/media in init
allow toolbox media_userdir_file:dir { r_dir_perms setattr };
allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };

###
### Neverallow rules
###

# Only allow entry from init via the toolbox binary.
neverallow { domain -init } toolbox:process transition;
neverallow * toolbox:process dyntransition;
neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;