Skip to content
Snippets Groups Projects
Normal view Permalink
blkid.te 547 B
Newer Older
  • Learn to ignore specific revisions
    • Jeff Sharkey's avatar
    Updated policy for external storage.
    Jeff Sharkey committed
    1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 
    # blkid called from vold
type blkid, domain;
type blkid_exec, exec_type, file_type;

# Allowed read-only access to vold block devices to extract UUID/label
allow blkid block_device:dir search;
allow blkid vold_device:blk_file r_file_perms;

# Allow stdin/out back to vold
allow blkid vold:fd use;
allow blkid vold:fifo_file { read write getattr };

# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
neverallow domain blkid:process dyntransition;
neverallow blkid { file_type fs_type -blkid_exec }:file entrypoint;