| Alex Klyubin | 83ac242 | 2017-02-07 12:41:44 -0800 | [diff] [blame] | 1 | # blkid for untrusted block devices |
| 2 | |
| 3 | # Allowed read-only access to vold block devices to extract UUID/label |
| 4 | allow blkid_untrusted block_device:dir search; |
| 5 | allow blkid_untrusted vold_device:blk_file r_file_perms; |
| 6 | |
| 7 | # Allow stdin/out back to vold |
| 8 | allow blkid_untrusted vold:fd use; |
| 9 | allow blkid_untrusted vold:fifo_file { read write getattr }; |
| 10 | |
| 11 | # For blkid launched through popen() |
| 12 | allow blkid_untrusted blkid_exec:file rx_file_perms; |
| 13 | |
| 14 | ### |
| 15 | ### neverallow rules |
| 16 | ### |
| 17 | |
| 18 | # Untrusted blkid should never be run on block devices holding sensitive data |
| 19 | neverallow blkid_untrusted { |
| 20 | boot_block_device |
| 21 | frp_block_device |
| 22 | metadata_block_device |
| 23 | recovery_block_device |
| 24 | root_block_device |
| 25 | swap_block_device |
| 26 | system_block_device |
| 27 | userdata_block_device |
| 28 | cache_block_device |
| 29 | dm_device |
| 30 | }:blk_file no_rw_file_perms; |
| 31 | |
| 32 | # Only allow entry from vold via blkid binary |
| 33 | neverallow { domain -vold } blkid_untrusted:process transition; |
| 34 | neverallow * blkid_untrusted:process dyntransition; |
| 35 | neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; |