| # Any fsck program run on untrusted block devices |
| type fsck_untrusted, domain; |
| |
| # Inherit and use pty created by android_fork_execvp_ext(). |
| allow fsck_untrusted devpts:chr_file { read write ioctl getattr }; |
| |
| # Allow stdin/out back to vold |
| allow fsck_untrusted vold:fd use; |
| allow fsck_untrusted vold:fifo_file { read write getattr }; |
| |
| # Run fsck on vold block devices |
| allow fsck_untrusted block_device:dir search; |
| allow fsck_untrusted vold_device:blk_file rw_file_perms; |
| |
| ### |
| ### neverallow rules |
| ### |
| |
| # Untrusted fsck should never be run on block devices holding sensitive data |
| neverallow fsck_untrusted { |
| boot_block_device |
| frp_block_device |
| metadata_block_device |
| recovery_block_device |
| root_block_device |
| swap_block_device |
| system_block_device |
| userdata_block_device |
| cache_block_device |
| dm_device |
| }:blk_file no_rw_file_perms; |
| |
| # Only allow entry from vold via fsck binaries |
| neverallow { domain -vold } fsck_untrusted:process transition; |
| neverallow domain fsck_untrusted:process dyntransition; |
| neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint; |