blob: e5a9152e2ab0d5120d932366d905f3ce10c8005d [file] [log] [blame]
Jeff Sharkeyf063f462015-03-27 11:25:39 -07001# sgdisk called from vold
Nick Kralevich6a259cc2016-12-09 19:30:39 -08002type sgdisk, domain;
Nick Kralevich5e372712018-09-27 10:21:37 -07003type sgdisk_exec, system_file_type, exec_type, file_type;
Jeff Sharkeyf063f462015-03-27 11:25:39 -07004
5# Allowed to read/write low-level partition tables
6allow sgdisk block_device:dir search;
7allow sgdisk vold_device:blk_file rw_file_perms;
Nick Kralevich79d36512018-11-01 08:23:00 -07008# HDIO_GETGEO needed to get the number of disk heads
9# on vold_device. How quaint.
10allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO };
11# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
12# is granted to all block device users in domain.te, so
13# no need to mention it here. sgdisk should not be
14# using the BLKGETSIZE ioctl as it is useless for devices over
15# 2T in size, but we allow it for now and hope that sgdisk
16# will fix their bug.
17allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
Nick Kralevich9d8f7ea2018-11-02 14:03:08 -070018# Force a re-read of the partition table.
19allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
Alistair Delvafeda4b12020-05-15 10:51:39 -070020# Allow reading of the physical block size.
21allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
Jeff Sharkeyf063f462015-03-27 11:25:39 -070022
Jeff Sharkey81888302015-03-31 18:10:19 -070023# Inherit and use pty created by android_fork_execvp()
24allow sgdisk devpts:chr_file { read write ioctl getattr };
25
Jeff Sharkeyf063f462015-03-27 11:25:39 -070026# Allow stdin/out back to vold
27allow sgdisk vold:fd use;
28allow sgdisk vold:fifo_file { read write getattr };
29
Jeff Sharkey81888302015-03-31 18:10:19 -070030# Used to probe kernel to reload partition tables
Benjamin Gordon9b2e0cb2017-11-09 15:51:26 -070031allow sgdisk self:global_capability_class_set sys_admin;
Jeff Sharkey81888302015-03-31 18:10:19 -070032
Jeff Sharkeyf063f462015-03-27 11:25:39 -070033# Only allow entry from vold
34neverallow { domain -vold } sgdisk:process transition;
Nick Kralevich35a14512016-02-05 14:48:03 -080035neverallow * sgdisk:process dyntransition;
Jeff Sharkeyf063f462015-03-27 11:25:39 -070036neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;