private/toolbox.te - android_system_sepolicy - Gitiles

 typeattribute toolbox coredomain;

 init_daemon_domain(toolbox)

 # rm -rf in /data/misc/virtualizationservice
 allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
 allow toolbox virtualizationservice_data_file:file { getattr unlink };

 # If we can't remove these directories we try to chmod them. That
 # doesn't work, but it doesn't matter as virtualizationservice itself
 # will delete them when it starts. See b/235338094#comment39
 dontaudit toolbox virtualizationservice_data_file:dir setattr;

 # /dev/__null__ created by init prior to policy load,
 # open fd inherited by fsck.
 allow toolbox tmpfs:chr_file { read write ioctl };

 # Inherit and use pty created by android_fork_execvp_ext().
 allow toolbox devpts:chr_file { read write getattr ioctl };

 # mkswap-specific.
 # Read/write block devices used for swap partitions.
 # Assign swap_block_device type any such partition in your
 # device/<vendor>/<product>/sepolicy/file_contexts file.
 allow toolbox block_device:dir search;
 allow toolbox swap_block_device:blk_file rw_file_perms;

 # rm -rf /data/per_boot
 allow toolbox system_data_root_file:dir { remove_name write };
 allow toolbox system_data_file:dir { rmdir rw_dir_perms };
 allow toolbox system_data_file:file { getattr unlink };

 # chattr +F /data/media in init
 allow toolbox media_userdir_file:dir { r_dir_perms setattr };
 allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };

 ###
 ### Neverallow rules
 ###

 # Only allow entry from init via the toolbox binary.
 neverallow { domain -init } toolbox:process transition;
 neverallow * toolbox:process dyntransition;
 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;
	typeattribute toolbox coredomain;

	init_daemon_domain(toolbox)

	# rm -rf in /data/misc/virtualizationservice
	allow toolbox virtualizationservice_data_file:dir { rmdir rw_dir_perms };
	allow toolbox virtualizationservice_data_file:file { getattr unlink };

	# If we can't remove these directories we try to chmod them. That
	# doesn't work, but it doesn't matter as virtualizationservice itself
	# will delete them when it starts. See b/235338094#comment39
	dontaudit toolbox virtualizationservice_data_file:dir setattr;

	# /dev/__null__ created by init prior to policy load,
	# open fd inherited by fsck.
	allow toolbox tmpfs:chr_file { read write ioctl };

	# Inherit and use pty created by android_fork_execvp_ext().
	allow toolbox devpts:chr_file { read write getattr ioctl };

	# mkswap-specific.
	# Read/write block devices used for swap partitions.
	# Assign swap_block_device type any such partition in your
	# device/<vendor>/<product>/sepolicy/file_contexts file.
	allow toolbox block_device:dir search;
	allow toolbox swap_block_device:blk_file rw_file_perms;

	# rm -rf /data/per_boot
	allow toolbox system_data_root_file:dir { remove_name write };
	allow toolbox system_data_file:dir { rmdir rw_dir_perms };
	allow toolbox system_data_file:file { getattr unlink };

	# chattr +F /data/media in init
	allow toolbox media_userdir_file:dir { r_dir_perms setattr };
	allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS };

	###
	### Neverallow rules
	###

	# Only allow entry from init via the toolbox binary.
	neverallow { domain -init } toolbox:process transition;
	neverallow * toolbox:process dyntransition;
	neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;