Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 1 | # blkid called from vold |
| 2 | type blkid, domain; |
| 3 | type blkid_exec, exec_type, file_type; |
| 4 | |
Jeff Sharkey | 84e1c61 | 2015-04-01 10:15:51 -0700 | [diff] [blame] | 5 | # Allowed read-only access to encrypted devices to extract UUID/label |
Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 6 | allow blkid block_device:dir search; |
Jeff Sharkey | 84e1c61 | 2015-04-01 10:15:51 -0700 | [diff] [blame] | 7 | allow blkid userdata_block_device:blk_file r_file_perms; |
| 8 | allow blkid dm_device:blk_file r_file_perms; |
Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 9 | |
| 10 | # Allow stdin/out back to vold |
| 11 | allow blkid vold:fd use; |
| 12 | allow blkid vold:fifo_file { read write getattr }; |
| 13 | |
Jeff Sharkey | 84e1c61 | 2015-04-01 10:15:51 -0700 | [diff] [blame] | 14 | # For blkid launched through popen() |
| 15 | allow blkid blkid_exec:file rx_file_perms; |
| 16 | |
Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 17 | # Only allow entry from vold |
| 18 | neverallow { domain -vold } blkid:process transition; |
| 19 | neverallow domain blkid:process dyntransition; |
Jeff Sharkey | 84e1c61 | 2015-04-01 10:15:51 -0700 | [diff] [blame] | 20 | neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; |