blob: 7e981bf27d9b8b5b7473d943f47591a11c1c2f76 [file] [log] [blame]
# Any fsck program run on untrusted block devices
type fsck_untrusted, domain;
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
# Allow stdin/out back to vold
allow fsck_untrusted vold:fd use;
allow fsck_untrusted vold:fifo_file { read write getattr };
# Run fsck on vold block devices
allow fsck_untrusted block_device:dir search;
allow fsck_untrusted vold_device:blk_file rw_file_perms;
allow fsck_untrusted proc_mounts:file r_file_perms;
# To determine if it is safe to run fsck on a filesystem, e2fsck
# must first determine if the filesystem is mounted. To do that,
# e2fsck scans through /proc/mounts and collects all the mounted
# block devices. With that information, it runs stat() on each block
# device, comparing the major and minor numbers to the filesystem
# passed in on the command line. If there is a match, then the filesystem
# is currently mounted and running fsck is dangerous.
# Allow stat access to all block devices so that fsck can compare
# major/minor values.
allow fsck_untrusted dev_type:blk_file getattr;
###
### neverallow rules
###
# Untrusted fsck should never be run on block devices holding sensitive data
neverallow fsck_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file no_rw_file_perms;
# Only allow entry from vold via fsck binaries
neverallow { domain -vold } fsck_untrusted:process transition;
neverallow * fsck_untrusted:process dyntransition;
neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
# permissions, that is a code mistake that needs to be fixed, not a permission that
# should be granted. Same with setgid and setuid.
neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
###
### dontaudit rules
###
# Ignores attempts to access sysfs. fsck binaries seem to like trying to go
# here, but nothing bad happens if they can't, and they shouldn't be allowed.
dontaudit fsck_untrusted sysfs:file rw_file_perms;
dontaudit fsck_untrusted sysfs_dm:file rw_file_perms;
dontaudit fsck_untrusted sysfs_dm:dir rw_dir_perms;
# Ignore attempts to access tmpfs. fsck don't need to do this.
dontaudit fsck_untrusted tmpfs:lnk_file read;