android_system_sepolicy/sgdisk.te

# sgdisk called from vold
type sgdisk, domain, domain_deprecated;
type sgdisk_exec, exec_type, file_type;

# Allowed to read/write low-level partition tables
allow sgdisk block_device:dir search;
allow sgdisk vold_device:blk_file rw_file_perms;

# Inherit and use pty created by android_fork_execvp()
allow sgdisk devpts:chr_file { read write ioctl getattr };

# Allow stdin/out back to vold
allow sgdisk vold:fd use;
allow sgdisk vold:fifo_file { read write getattr };

# Used to probe kernel to reload partition tables
allow sgdisk self:capability sys_admin;

# Only allow entry from vold
neverallow { domain -vold } sgdisk:process transition;
neverallow * sgdisk:process dyntransition;
neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;