Don't run fsck on certain block devices
Make sure we're not running fsck on block devices where it
doesn't make any sense. In particular, we should not be running
fsck on /system since it's mounted read-only, and any modification
to that block device will screw up verified boot.
Change-Id: Ic8dd4b0519b423bb5ceb814daeebef06a8f065b4
diff --git a/fsck.te b/fsck.te
index 22ff7b1..ab4ee31 100644
--- a/fsck.te
+++ b/fsck.te
@@ -16,6 +16,21 @@
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow fsck {
+ boot_block_device
+ frp_block_device
+ metadata_block_device
+ recovery_block_device
+ root_block_device
+ swap_block_device
+ system_block_device
+}:blk_file no_rw_file_perms;
+
# Only allow entry from init via the e2fsck binary.
neverallow { domain -init } fsck:process transition;
neverallow domain fsck:process dyntransition;