platform_system_sepolicy/sgdisk.te
Nick Kralevich 35a1451430 Replace "neverallow domain" by "neverallow *"
Modify many "neverallow domain" rules to be "neverallow *" rules
instead. This will catch more SELinux policy bugs where a label
is assigned an irrelevant rule, as well as catch situations where
a domain attribute is not assigned to a process.

Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf
2016-02-05 14:54:04 -08:00

22 lines
759 B
Text

# sgdisk called from vold
type sgdisk, domain, domain_deprecated;
type sgdisk_exec, exec_type, file_type;
# Allowed to read/write low-level partition tables
allow sgdisk block_device:dir search;
allow sgdisk vold_device:blk_file rw_file_perms;
# Inherit and use pty created by android_fork_execvp()
allow sgdisk devpts:chr_file { read write ioctl getattr };
# Allow stdin/out back to vold
allow sgdisk vold:fd use;
allow sgdisk vold:fifo_file { read write getattr };
# Used to probe kernel to reload partition tables
allow sgdisk self:capability sys_admin;
# Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition;
neverallow * sgdisk:process dyntransition;
neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;