1 # Any fsck program run on untrusted block devices 2 type fsck_untrusted, domain; 3 4 # Inherit and use pty created by android_fork_execvp_ext(). 5 allow fsck_untrusted devpts:chr_file { read write ioctl getattr }; 6 7 # Allow stdin/out back to vold 8 allow fsck_untrusted vold:fd use; 9 allow fsck_untrusted vold:fifo_file { read write getattr }; 10 11 # Run fsck on vold block devices 12 allow fsck_untrusted block_device:dir search; 13 allow fsck_untrusted vold_device:blk_file rw_file_perms; 14 15 allow fsck_untrusted proc_mounts:file r_file_perms; 16 17 # To determine if it is safe to run fsck on a filesystem, e2fsck 18 # must first determine if the filesystem is mounted. To do that, 19 # e2fsck scans through /proc/mounts and collects all the mounted 20 # block devices. With that information, it runs stat() on each block 21 # device, comparing the major and minor numbers to the filesystem 22 # passed in on the command line. If there is a match, then the filesystem 23 # is currently mounted and running fsck is dangerous. 24 # Allow stat access to all block devices so that fsck can compare 25 # major/minor values. 26 allow fsck_untrusted dev_type:blk_file getattr; 27 28 ### 29 ### neverallow rules 30 ### 31 32 # Untrusted fsck should never be run on block devices holding sensitive data 33 neverallow fsck_untrusted { 34 boot_block_device 35 frp_block_device 36 metadata_block_device 37 recovery_block_device 38 root_block_device 39 swap_block_device 40 system_block_device 41 userdata_block_device 42 cache_block_device 43 dm_device 44 }:blk_file no_rw_file_perms; 45 46 # Only allow entry from vold via fsck binaries 47 neverallow { domain -vold } fsck_untrusted:process transition; 48 neverallow * fsck_untrusted:process dyntransition; 49 neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint; 50
