Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / e1224de04d9c6ea52e753151441cdb378891cf6f^2..e1224de04d9c6ea52e753151441cdb378891cf6f / .
commite1224de04d9c6ea52e753151441cdb378891cf6f[log] [tgz]
authorJeffrey Vander Stoep <jeffv@google.com>Fri Jan 22 00:27:50 2016 +0000
committerGerrit Code Review <noreply-gerritcodereview@google.com>Fri Jan 22 00:27:50 2016 +0000
tree1294ca2460544386b599c758d22f6efce4531685
parent67d9932c6744885ee0ef3bab61bbae3b8f16de9b [diff]
parentfcea7263903b0e953f393ddb15fbfc071b992499 [diff]
Merge "Allow domains to stat filesystems."
diff --git a/fsck.te b/fsck.te
index e90a49e..cdf1188 100644
--- a/fsck.te
+++ b/fsck.te

@@ -21,6 +21,10 @@
 allow fsck cache_block_device:blk_file rw_file_perms;
 allow fsck dm_device:blk_file rw_file_perms;
 
+# fsck performs a stat() on swap to verify that it is a valid
+# swap device before setting the EXT2_MF_SWAP mount flag.
+allow fsck swap_block_device:blk_file getattr;
+
 ###
 ### neverallow rules
 ###

diff --git a/vold.te b/vold.te
index 8416531..e16ec73 100644
--- a/vold.te
+++ b/vold.te

@@ -81,8 +81,8 @@
 
 allow vold kmsg_device:chr_file rw_file_perms;
 
-# Run fsck.
-allow vold fsck_exec:file rx_file_perms;
+# Run fsck in the fsck domain.
+allow vold fsck_exec:file { r_file_perms execute };
 
 # Log fsck results
 allow vold fscklogs:dir rw_dir_perms;
@@ -176,3 +176,5 @@
 neverallow { domain -vold -init } vold_data_file:dir *;
 neverallow { domain -vold -init } vold_data_file:notdevfile_class_set *;
 neverallow { domain -vold -init } restorecon_prop:property_service set;
+
+neverallow vold fsck_exec:file execute_no_trans;