35a1451430
Modify many "neverallow domain" rules to be "neverallow *" rules instead. This will catch more SELinux policy bugs where a label is assigned an irrelevant rule, as well as catch situations where a domain attribute is not assigned to a process. Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf
37 lines
1.1 KiB
Plaintext
37 lines
1.1 KiB
Plaintext
# Any fsck program run on untrusted block devices
|
|
type fsck_untrusted, domain, domain_deprecated;
|
|
|
|
# Inherit and use pty created by android_fork_execvp_ext().
|
|
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
|
|
|
|
# Allow stdin/out back to vold
|
|
allow fsck_untrusted vold:fd use;
|
|
allow fsck_untrusted vold:fifo_file { read write getattr };
|
|
|
|
# Run fsck on vold block devices
|
|
allow fsck_untrusted block_device:dir search;
|
|
allow fsck_untrusted vold_device:blk_file rw_file_perms;
|
|
|
|
###
|
|
### neverallow rules
|
|
###
|
|
|
|
# Untrusted fsck should never be run on block devices holding sensitive data
|
|
neverallow fsck_untrusted {
|
|
boot_block_device
|
|
frp_block_device
|
|
metadata_block_device
|
|
recovery_block_device
|
|
root_block_device
|
|
swap_block_device
|
|
system_block_device
|
|
userdata_block_device
|
|
cache_block_device
|
|
dm_device
|
|
}:blk_file no_rw_file_perms;
|
|
|
|
# Only allow entry from vold via fsck binaries
|
|
neverallow { domain -vold } fsck_untrusted:process transition;
|
|
neverallow * fsck_untrusted:process dyntransition;
|
|
neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
|