1 # blkid called from vold 2 3 typeattribute blkid coredomain; 4 5 type blkid_exec, exec_type, file_type; 6 7 # Allowed read-only access to encrypted devices to extract UUID/label 8 allow blkid block_device:dir search; 9 allow blkid userdata_block_device:blk_file r_file_perms; 10 allow blkid dm_device:blk_file r_file_perms; 11 12 # Allow stdin/out back to vold 13 allow blkid vold:fd use; 14 allow blkid vold:fifo_file { read write getattr }; 15 16 # For blkid launched through popen() 17 allow blkid blkid_exec:file rx_file_perms; 18 19 # Only allow entry from vold 20 neverallow { domain -vold } blkid:process transition; 21 neverallow * blkid:process dyntransition; 22 neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; 23
