1 # Any toolbox command run by init. 2 # At present, the only known usage is for running mkswap via fs_mgr. 3 # Do NOT use this domain for toolbox when run by any other domain. 4 type toolbox, domain; 5 type toolbox_exec, exec_type, file_type; 6 7 init_daemon_domain(toolbox) 8 9 # /dev/__null__ created by init prior to policy load, 10 # open fd inherited by fsck. 11 allow toolbox tmpfs:chr_file { read write ioctl }; 12 13 # Inherit and use pty created by android_fork_execvp_ext(). 14 allow toolbox devpts:chr_file { read write getattr ioctl }; 15 16 # mkswap-specific. 17 # Read/write block devices used for swap partitions. 18 # Assign swap_block_device type any such partition in your 19 # device/<vendor>/<product>/sepolicy/file_contexts file. 20 allow toolbox block_device:dir search; 21 allow toolbox swap_block_device:blk_file rw_file_perms; 22 23 # Only allow entry from init via the toolbox binary. 24 neverallow { domain -init } toolbox:process transition; 25 neverallow domain toolbox:process dyntransition; 26 neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint; 27
