| # Any fsck program run on untrusted block devices |
| type fsck_untrusted, domain, domain_deprecated; |
| |
| # Inherit and use pty created by android_fork_execvp_ext(). |
| allow fsck_untrusted devpts:chr_file { read write ioctl getattr }; |
| |
| # Allow stdin/out back to vold |
| allow fsck_untrusted vold:fd use; |
| allow fsck_untrusted vold:fifo_file { read write getattr }; |
| |
| # Run fsck on vold block devices |
| allow fsck_untrusted block_device:dir search; |
| allow fsck_untrusted vold_device:blk_file rw_file_perms; |
| |
| r_dir_file(fsck_untrusted, proc) |
| |
| # To determine if it is safe to run fsck on a filesystem, e2fsck |
| # must first determine if the filesystem is mounted. To do that, |
| # e2fsck scans through /proc/mounts and collects all the mounted |
| # block devices. With that information, it runs stat() on each block |
| # device, comparing the major and minor numbers to the filesystem |
| # passed in on the command line. If there is a match, then the filesystem |
| # is currently mounted and running fsck is dangerous. |
| # Allow stat access to all block devices so that fsck can compare |
| # major/minor values. |
| allow fsck_untrusted dev_type:blk_file getattr; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # Untrusted fsck should never be run on block devices holding sensitive data |
| neverallow fsck_untrusted { |
| boot_block_device |
| frp_block_device |
| metadata_block_device |
| recovery_block_device |
| root_block_device |
| swap_block_device |
| system_block_device |
| userdata_block_device |
| cache_block_device |
| dm_device |
| }:blk_file no_rw_file_perms; |
| |
| # Only allow entry from vold via fsck binaries |
| neverallow { domain -vold } fsck_untrusted:process transition; |
| neverallow * fsck_untrusted:process dyntransition; |
| neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint; |