1 # blkid for untrusted block devices 2 3 typeattribute blkid_untrusted coredomain; 4 5 # Allowed read-only access to vold block devices to extract UUID/label 6 allow blkid_untrusted block_device:dir search; 7 allow blkid_untrusted vold_device:blk_file r_file_perms; 8 9 # Allow stdin/out back to vold 10 allow blkid_untrusted vold:fd use; 11 allow blkid_untrusted vold:fifo_file { read write getattr }; 12 13 # For blkid launched through popen() 14 allow blkid_untrusted blkid_exec:file rx_file_perms; 15 16 ### 17 ### neverallow rules 18 ### 19 20 # Untrusted blkid should never be run on block devices holding sensitive data 21 neverallow blkid_untrusted { 22 boot_block_device 23 frp_block_device 24 metadata_block_device 25 recovery_block_device 26 root_block_device 27 swap_block_device 28 system_block_device 29 userdata_block_device 30 cache_block_device 31 dm_device 32 }:blk_file no_rw_file_perms; 33 34 # Only allow entry from vold via blkid binary 35 neverallow { domain -vold } blkid_untrusted:process transition; 36 neverallow * blkid_untrusted:process dyntransition; 37 neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; 38