| Jeff Sharkey | 5a5b364 | 2015-03-31 08:04:46 -0700 | [diff] [blame] | 1 | # Any fsck program run by init |
| Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 2 | type fsck, domain; |
| 3 | type fsck_exec, exec_type, file_type; |
| Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 4 | |
| 5 | init_daemon_domain(fsck) |
| 6 | |
| 7 | # /dev/__null__ created by init prior to policy load, |
| 8 | # open fd inherited by fsck. |
| 9 | allow fsck tmpfs:chr_file { read write ioctl }; |
| 10 | |
| 11 | # Inherit and use pty created by android_fork_execvp_ext(). |
| Nick Kralevich | 57a17d1 | 2014-10-20 10:36:49 -0700 | [diff] [blame] | 12 | allow fsck devpts:chr_file { read write ioctl getattr }; |
| Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 13 | |
| Jeff Sharkey | 84e1c61 | 2015-04-01 10:15:51 -0700 | [diff] [blame] | 14 | # Allow stdin/out back to vold |
| 15 | allow fsck vold:fd use; |
| 16 | allow fsck vold:fifo_file { read write getattr }; |
| 17 | |
| Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 18 | # Run fsck on certain block devices |
| Stephen Smalley | 509186d | 2015-02-10 16:13:45 -0500 | [diff] [blame] | 19 | allow fsck block_device:dir search; |
| Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 20 | allow fsck userdata_block_device:blk_file rw_file_perms; |
| 21 | allow fsck cache_block_device:blk_file rw_file_perms; |
| Jeff Sharkey | 84e1c61 | 2015-04-01 10:15:51 -0700 | [diff] [blame] | 22 | allow fsck dm_device:blk_file rw_file_perms; |
| Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 23 | |
| Nick Kralevich | e491020 | 2015-03-19 23:02:15 -0700 | [diff] [blame] | 24 | ### |
| 25 | ### neverallow rules |
| 26 | ### |
| 27 | |
| 28 | # fsck should never be run on these block devices |
| 29 | neverallow fsck { |
| 30 | boot_block_device |
| 31 | frp_block_device |
| 32 | metadata_block_device |
| 33 | recovery_block_device |
| 34 | root_block_device |
| 35 | swap_block_device |
| 36 | system_block_device |
| Jeff Sharkey | 5a5b364 | 2015-03-31 08:04:46 -0700 | [diff] [blame] | 37 | vold_device |
| Nick Kralevich | e491020 | 2015-03-19 23:02:15 -0700 | [diff] [blame] | 38 | }:blk_file no_rw_file_perms; |
| 39 | |
| Jeff Sharkey | 84e1c61 | 2015-04-01 10:15:51 -0700 | [diff] [blame] | 40 | # Only allow entry from init or vold via fsck binaries |
| 41 | neverallow { domain -init -vold } fsck:process transition; |
| Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 42 | neverallow domain fsck:process dyntransition; |
| Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 43 | neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint; |