Commit 27.0 sepolicy prebuilts to master.
Bug: 65551293
Bug: 69390067
Test: None. Prebuilt only change.
Change-Id: I62304b342a8b52fd505892cc2d4ebc882148224b
diff --git a/prebuilts/api/27.0/private/blkid_untrusted.te b/prebuilts/api/27.0/private/blkid_untrusted.te
new file mode 100644
index 0000000..1256771
--- /dev/null
+++ b/prebuilts/api/27.0/private/blkid_untrusted.te
@@ -0,0 +1,37 @@
+# blkid for untrusted block devices
+
+typeattribute blkid_untrusted coredomain;
+
+# Allowed read-only access to vold block devices to extract UUID/label
+allow blkid_untrusted block_device:dir search;
+allow blkid_untrusted vold_device:blk_file r_file_perms;
+
+# Allow stdin/out back to vold
+allow blkid_untrusted vold:fd use;
+allow blkid_untrusted vold:fifo_file { read write getattr };
+
+# For blkid launched through popen()
+allow blkid_untrusted blkid_exec:file rx_file_perms;
+
+###
+### neverallow rules
+###
+
+# Untrusted blkid should never be run on block devices holding sensitive data
+neverallow blkid_untrusted {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+ userdata_block_device
+ cache_block_device
+ dm_device
+}:blk_file no_rw_file_perms;
+
+# Only allow entry from vold via blkid binary
+neverallow { domain -vold } blkid_untrusted:process transition;
+neverallow * blkid_untrusted:process dyntransition;
+neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;