| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # blkid called from vold |
| 2 | |
| 3 | typeattribute blkid coredomain; |
| 4 | |
| 5 | type blkid_exec, system_file_type, exec_type, file_type; |
| 6 | |
| 7 | # Allowed read-only access to encrypted devices to extract UUID/label |
| 8 | allow blkid block_device:dir search; |
| 9 | allow blkid userdata_block_device:blk_file r_file_perms; |
| 10 | allow blkid dm_device:blk_file r_file_perms; |
| 11 | |
| 12 | # Allow stdin/out back to vold |
| 13 | allow blkid vold:fd use; |
| 14 | allow blkid vold:fifo_file { read write getattr }; |
| 15 | |
| 16 | # For blkid launched through popen() |
| 17 | allow blkid blkid_exec:file rx_file_perms; |
| 18 | |
| 19 | # Only allow entry from vold |
| 20 | neverallow { domain -vold } blkid:process transition; |
| 21 | neverallow * blkid:process dyntransition; |
| 22 | neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; |