Something went wrong on our end
-
Jeff Sharkey authoredvold works with two broad classes of block devices: untrusted devices that come in from the wild, and trusted devices. When running blkid and fsck, we pick which SELinux execution domain to use based on which class the device belongs to. Bug: 19993667 Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5
Jeff Sharkey authoredvold works with two broad classes of block devices: untrusted devices that come in from the wild, and trusted devices. When running blkid and fsck, we pick which SELinux execution domain to use based on which class the device belongs to. Bug: 19993667 Change-Id: I44f5bac5dd94f0f76f3e4ef50ddbde5a32bd17a5
blkid.te 694 B
# blkid called from vold
type blkid, domain;
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
allow blkid block_device:dir search;
allow blkid userdata_block_device:blk_file r_file_perms;
allow blkid dm_device:blk_file r_file_perms;
# Allow stdin/out back to vold
allow blkid vold:fd use;
allow blkid vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid blkid_exec:file rx_file_perms;
# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
neverallow domain blkid:process dyntransition;
neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;