Skip to content
Snippets Groups Projects
Normal view Permalink
blkid_untrusted.te 1.07 KiB
Newer Older
  • Learn to ignore specific revisions
    • Jeff Sharkey's avatar
    Different blkid and fsck execution domains.
    Jeff Sharkey committed
    1 
    # blkid for untrusted block devices
    Jeff Vander Stoep's avatar
    Remove domain_deprecated from sdcard domains  
    Jeff Vander Stoep committed
    2 
    type blkid_untrusted, domain;
    Jeff Sharkey's avatar
    Different blkid and fsck execution domains.
    Jeff Sharkey committed
    3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 
    
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file r_file_perms;

# Allow stdin/out back to vold
allow blkid_untrusted vold:fd use;
allow blkid_untrusted vold:fifo_file { read write getattr };

# For blkid launched through popen()
allow blkid_untrusted blkid_exec:file rx_file_perms;

###
### neverallow rules
###

# Untrusted blkid should never be run on block devices holding sensitive data
neverallow blkid_untrusted {
  boot_block_device
  frp_block_device
  metadata_block_device
  recovery_block_device
  root_block_device
  swap_block_device
  system_block_device
  userdata_block_device
  cache_block_device
  dm_device
}:blk_file no_rw_file_perms;

# Only allow entry from vold via blkid binary
neverallow { domain -vold } blkid_untrusted:process transition;
neverallow domain blkid_untrusted:process dyntransition;
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;