| Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 1 | # sgdisk called from vold |
| 2 | type sgdisk, domain; |
| 3 | type sgdisk_exec, exec_type, file_type; |
| 4 | |
| 5 | # Allowed to read/write low-level partition tables |
| 6 | allow sgdisk block_device:dir search; |
| 7 | allow sgdisk vold_device:blk_file rw_file_perms; |
| 8 | |
| Jeff Sharkey | 8188830 | 2015-03-31 18:10:19 -0700 | [diff] [blame] | 9 | # Inherit and use pty created by android_fork_execvp() |
| 10 | allow sgdisk devpts:chr_file { read write ioctl getattr }; |
| 11 | |
| Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 12 | # Allow stdin/out back to vold |
| 13 | allow sgdisk vold:fd use; |
| 14 | allow sgdisk vold:fifo_file { read write getattr }; |
| 15 | |
| Jeff Sharkey | 8188830 | 2015-03-31 18:10:19 -0700 | [diff] [blame] | 16 | # Used to probe kernel to reload partition tables |
| 17 | allow sgdisk self:capability sys_admin; |
| 18 | |
| Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 19 | # Only allow entry from vold |
| 20 | neverallow { domain -vold } sgdisk:process transition; |
| 21 | neverallow domain sgdisk:process dyntransition; |
| 22 | neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; |