1 # blkid for untrusted block devices 2 type blkid_untrusted, domain; 3 4 # Allowed read-only access to vold block devices to extract UUID/label 5 allow blkid_untrusted block_device:dir search; 6 allow blkid_untrusted vold_device:blk_file r_file_perms; 7 8 # Allow stdin/out back to vold 9 allow blkid_untrusted vold:fd use; 10 allow blkid_untrusted vold:fifo_file { read write getattr }; 11 12 # For blkid launched through popen() 13 allow blkid_untrusted blkid_exec:file rx_file_perms; 14 15 ### 16 ### neverallow rules 17 ### 18 19 # Untrusted blkid should never be run on block devices holding sensitive data 20 neverallow blkid_untrusted { 21 boot_block_device 22 frp_block_device 23 metadata_block_device 24 recovery_block_device 25 root_block_device 26 swap_block_device 27 system_block_device 28 userdata_block_device 29 cache_block_device 30 dm_device 31 }:blk_file no_rw_file_perms; 32 33 # Only allow entry from vold via blkid binary 34 neverallow { domain -vold } blkid_untrusted:process transition; 35 neverallow domain blkid_untrusted:process dyntransition; 36 neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; 37
