Home | History | Annotate | Download | only in public 
      1 # sgdisk called from vold
      2 type sgdisk, domain;
      3 type sgdisk_exec, exec_type, file_type;
      4 
      5 # Allowed to read/write low-level partition tables
      6 allow sgdisk block_device:dir search;
      7 allow sgdisk vold_device:blk_file rw_file_perms;
      8 
      9 # Inherit and use pty created by android_fork_execvp()
     10 allow sgdisk devpts:chr_file { read write ioctl getattr };
     11 
     12 # Allow stdin/out back to vold
     13 allow sgdisk vold:fd use;
     14 allow sgdisk vold:fifo_file { read write getattr };
     15 
     16 # Used to probe kernel to reload partition tables
     17 allow sgdisk self:global_capability_class_set sys_admin;
     18 
     19 # Only allow entry from vold
     20 neverallow { domain -vold } sgdisk:process transition;
     21 neverallow * sgdisk:process dyntransition;
     22 neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
     23