Merge "Fix e2fsck denials introduced by latest e2fsprogs merge."
diff --git a/private/domain.te b/private/domain.te
index 63e1bde..5bb4831 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -397,6 +397,7 @@
# Limit directory operations that doesn't need to do app data isolation.
neverallow {
domain
+ -fsck
-init
-installd
-zygote
diff --git a/public/fsck.te b/public/fsck.te
index 7a9fbee..1fb5d0d 100644
--- a/public/fsck.te
+++ b/public/fsck.te
@@ -14,7 +14,6 @@
allow fsck vold:fifo_file { read write getattr };
# Run fsck on certain block devices
-allow fsck block_device:dir search;
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
allow fsck dm_device:blk_file rw_file_perms;
@@ -22,6 +21,12 @@
allow fsck system_block_device:blk_file rw_file_perms;
')
+# e2fsck performs a comprehensive search of /proc/mounts to check whether the
+# checked filesystem is currently mounted.
+allow fsck metadata_file:dir getattr;
+allow fsck block_device:dir search;
+allow fsck mirror_data_file:dir search;
+
# For the block devices where we have ioctl access,
# allow at a minimum the following common fsck ioctls.
allowxperm fsck dev_type:blk_file ioctl {