| # sgdisk called from vold |
| type sgdisk, domain; |
| type sgdisk_exec, exec_type, file_type; |
| |
| # Allowed to read/write low-level partition tables |
| allow sgdisk block_device:dir search; |
| allow sgdisk vold_device:blk_file rw_file_perms; |
| |
| # Inherit and use pty created by android_fork_execvp() |
| allow sgdisk devpts:chr_file { read write ioctl getattr }; |
| |
| # Allow stdin/out back to vold |
| allow sgdisk vold:fd use; |
| allow sgdisk vold:fifo_file { read write getattr }; |
| |
| # Used to probe kernel to reload partition tables |
| allow sgdisk self:global_capability_class_set sys_admin; |
| |
| # Only allow entry from vold |
| neverallow { domain -vold } sgdisk:process transition; |
| neverallow * sgdisk:process dyntransition; |
| neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; |