cedee697c3
Allow error reporting via the pty supplied by init.
Allow vold to invoke fsck for checking volumes.
Addresses denials such as:
avc: denied { ioctl } for pid=133 comm="e2fsck" path="/dev/pts/0" dev="devpts" ino=3 scontext=u:r:fsck:s0 tcontext=u:object_r:devpts:s0 tclass=chr_file
avc: denied { execute } for pid=201 comm="vold" name="e2fsck" dev="mmcblk0p25" ino=98 scontext=u:r:vold:s0 tcontext=u:object_r:fsck_exec:s0 tclass=file
These denials show up if you have encrypted userdata.
Change-Id: Idc8e6f83a0751f17cde0ee5e4b1fbd6efe164e4c
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
27 lines
988 B
Plaintext
27 lines
988 B
Plaintext
# e2fsck or any other fsck program run by init.
|
|
type fsck, domain;
|
|
type fsck_exec, exec_type, file_type;
|
|
permissive_or_unconfined(fsck)
|
|
|
|
init_daemon_domain(fsck)
|
|
|
|
# /dev/__null__ created by init prior to policy load,
|
|
# open fd inherited by fsck.
|
|
allow fsck tmpfs:chr_file { read write ioctl };
|
|
|
|
# Inherit and use pty created by android_fork_execvp_ext().
|
|
allow fsck devpts:chr_file { read write ioctl };
|
|
|
|
# Run e2fsck on block devices.
|
|
# TODO: Assign userdata and cache block device types to the corresponding
|
|
# block devices in all device policies, and then remove access to
|
|
# block_device:blk_file from here.
|
|
allow fsck block_device:blk_file rw_file_perms;
|
|
allow fsck userdata_block_device:blk_file rw_file_perms;
|
|
allow fsck cache_block_device:blk_file rw_file_perms;
|
|
|
|
# Only allow entry from init via the e2fsck binary.
|
|
neverallow { domain -init } fsck:process transition;
|
|
neverallow domain fsck:process dyntransition;
|
|
neverallow fsck { file_type fs_type -fsck_exec}:file entrypoint;
|