From e491020f3a5beedc5239de7c054960ee8d04da42 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Thu, 19 Mar 2015 23:02:15 -0700
Subject: [PATCH] Don't run fsck on certain block devices

Make sure we're not running fsck on block devices where it
doesn't make any sense. In particular, we should not be running
fsck on /system since it's mounted read-only, and any modification
to that block device will screw up verified boot.

Change-Id: Ic8dd4b0519b423bb5ceb814daeebef06a8f065b4
---
 fsck.te | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/fsck.te b/fsck.te
index 22ff7b1a9..ab4ee3120 100644
--- a/fsck.te
+++ b/fsck.te
@@ -16,6 +16,21 @@ allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
 
+###
+### neverallow rules
+###
+
+# fsck should never be run on these block devices
+neverallow fsck {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+}:blk_file no_rw_file_perms;
+
 # Only allow entry from init via the e2fsck binary.
 neverallow { domain -init } fsck:process transition;
 neverallow domain fsck:process dyntransition;
-- 
GitLab