1 # blkid called from vold 2 type blkid, domain; 3 type blkid_exec, exec_type, file_type; 4 5 # Allowed read-only access to encrypted devices to extract UUID/label 6 allow blkid block_device:dir search; 7 allow blkid userdata_block_device:blk_file r_file_perms; 8 allow blkid dm_device:blk_file r_file_perms; 9 10 # Allow stdin/out back to vold 11 allow blkid vold:fd use; 12 allow blkid vold:fifo_file { read write getattr }; 13 14 # For blkid launched through popen() 15 allow blkid blkid_exec:file rx_file_perms; 16 17 # Only allow entry from vold 18 neverallow { domain -vold } blkid:process transition; 19 neverallow domain blkid:process dyntransition; 20 neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; 21