Don't run fsck on certain block devices

Make sure we're not running fsck on block devices where it doesn't make any sense. In particular, we should not be running fsck on /system since it's mounted read-only, and any modification to that block device will screw up verified boot. Change-Id: Ic8dd4b0519b423bb5ceb814daeebef06a8f065b4

Don't run fsck on certain block devices
e491020f · Nick Kralevich · fa281f5d · e491020f
Commit e491020f authored 10 years ago by Nick Kralevich
--- a/fsck.te
+++ b/fsck.te
@@ -16,6 +16,21 @@ allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
+###
+### neverallow rules
+###
+# fsck should never be run on these block devices
+neverallow fsck {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+}:blk_file no_rw_file_perms;
 # Only allow entry from init via the e2fsck binary.
 neverallow { domain -init } fsck:process transition;
 neverallow domain fsck:process dyntransition;