public/fsck_untrusted.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # Any fsck program run on untrusted block devices
 type fsck_untrusted, domain;

 # Inherit and use pty created by android_fork_execvp_ext().
 allow fsck_untrusted devpts:chr_file { read write ioctl getattr };

 # Allow stdin/out back to vold
 allow fsck_untrusted vold:fd use;
 allow fsck_untrusted vold:fifo_file { read write getattr };

 # Run fsck on vold block devices
 allow fsck_untrusted block_device:dir search;
 allow fsck_untrusted vold_device:blk_file rw_file_perms;

 allow fsck_untrusted proc_mounts:file r_file_perms;

 # To determine if it is safe to run fsck on a filesystem, e2fsck
 # must first determine if the filesystem is mounted. To do that,
 # e2fsck scans through /proc/mounts and collects all the mounted
 # block devices. With that information, it runs stat() on each block
 # device, comparing the major and minor numbers to the filesystem
 # passed in on the command line. If there is a match, then the filesystem
 # is currently mounted and running fsck is dangerous.
 # Allow stat access to all block devices so that fsck can compare
 # major/minor values.
 allow fsck_untrusted dev_type:blk_file getattr;

 ###
 ### neverallow rules
 ###

 # Untrusted fsck should never be run on block devices holding sensitive data
 neverallow fsck_untrusted {
   boot_block_device
   frp_block_device
   metadata_block_device
   recovery_block_device
   root_block_device
   swap_block_device
   system_block_device
   userdata_block_device
   cache_block_device
   dm_device
 }:blk_file no_rw_file_perms;

 # Only allow entry from vold via fsck binaries
 neverallow { domain -vold } fsck_untrusted:process transition;
 neverallow * fsck_untrusted:process dyntransition;
 neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;

 # fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
 # permissions, that is a code mistake that needs to be fixed, not a permission that
 # should be granted. Same with setgid and setuid.
 neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };

 ###
 ### dontaudit rules
 ###

 # Ignores attempts to access sysfs. fsck binaries seem to like trying to go
 # here, but nothing bad happens if they can't, and they shouldn't be allowed.
 dontaudit fsck_untrusted sysfs:file rw_file_perms;
 dontaudit fsck_untrusted sysfs_dm:file rw_file_perms;
 dontaudit fsck_untrusted sysfs_dm:dir rw_dir_perms;

 # Ignore attempts to access tmpfs. fsck don't need to do this.
 dontaudit fsck_untrusted tmpfs:lnk_file read;
	# Any fsck program run on untrusted block devices
	type fsck_untrusted, domain;

	# Inherit and use pty created by android_fork_execvp_ext().
	allow fsck_untrusted devpts:chr_file { read write ioctl getattr };

	# Allow stdin/out back to vold
	allow fsck_untrusted vold:fd use;
	allow fsck_untrusted vold:fifo_file { read write getattr };

	# Run fsck on vold block devices
	allow fsck_untrusted block_device:dir search;
	allow fsck_untrusted vold_device:blk_file rw_file_perms;

	allow fsck_untrusted proc_mounts:file r_file_perms;

	# To determine if it is safe to run fsck on a filesystem, e2fsck
	# must first determine if the filesystem is mounted. To do that,
	# e2fsck scans through /proc/mounts and collects all the mounted
	# block devices. With that information, it runs stat() on each block
	# device, comparing the major and minor numbers to the filesystem
	# passed in on the command line. If there is a match, then the filesystem
	# is currently mounted and running fsck is dangerous.
	# Allow stat access to all block devices so that fsck can compare
	# major/minor values.
	allow fsck_untrusted dev_type:blk_file getattr;

	###
	### neverallow rules
	###

	# Untrusted fsck should never be run on block devices holding sensitive data
	neverallow fsck_untrusted {
	boot_block_device
	frp_block_device
	metadata_block_device
	recovery_block_device
	root_block_device
	swap_block_device
	system_block_device
	userdata_block_device
	cache_block_device
	dm_device
	}:blk_file no_rw_file_perms;

	# Only allow entry from vold via fsck binaries
	neverallow { domain -vold } fsck_untrusted:process transition;
	neverallow * fsck_untrusted:process dyntransition;
	neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;

	# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
	# permissions, that is a code mistake that needs to be fixed, not a permission that
	# should be granted. Same with setgid and setuid.
	neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };

	###
	### dontaudit rules
	###

	# Ignores attempts to access sysfs. fsck binaries seem to like trying to go
	# here, but nothing bad happens if they can't, and they shouldn't be allowed.
	dontaudit fsck_untrusted sysfs:file rw_file_perms;
	dontaudit fsck_untrusted sysfs_dm:file rw_file_perms;
	dontaudit fsck_untrusted sysfs_dm:dir rw_dir_perms;

	# Ignore attempts to access tmpfs. fsck don't need to do this.
	dontaudit fsck_untrusted tmpfs:lnk_file read;