Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 1 | # sgdisk called from vold |
Nick Kralevich | 6a259cc | 2016-12-09 19:30:39 -0800 | [diff] [blame] | 2 | type sgdisk, domain; |
Nick Kralevich | 5e37271 | 2018-09-27 10:21:37 -0700 | [diff] [blame] | 3 | type sgdisk_exec, system_file_type, exec_type, file_type; |
Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 4 | |
| 5 | # Allowed to read/write low-level partition tables |
| 6 | allow sgdisk block_device:dir search; |
| 7 | allow sgdisk vold_device:blk_file rw_file_perms; |
Nick Kralevich | 79d3651 | 2018-11-01 08:23:00 -0700 | [diff] [blame] | 8 | # HDIO_GETGEO needed to get the number of disk heads |
| 9 | # on vold_device. How quaint. |
| 10 | allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO }; |
| 11 | # sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64 |
| 12 | # is granted to all block device users in domain.te, so |
| 13 | # no need to mention it here. sgdisk should not be |
| 14 | # using the BLKGETSIZE ioctl as it is useless for devices over |
| 15 | # 2T in size, but we allow it for now and hope that sgdisk |
| 16 | # will fix their bug. |
| 17 | allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE }; |
Nick Kralevich | 9d8f7ea | 2018-11-02 14:03:08 -0700 | [diff] [blame] | 18 | # Force a re-read of the partition table. |
| 19 | allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART }; |
Alistair Delva | feda4b1 | 2020-05-15 10:51:39 -0700 | [diff] [blame] | 20 | # Allow reading of the physical block size. |
| 21 | allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET }; |
Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 22 | |
Jeff Sharkey | 8188830 | 2015-03-31 18:10:19 -0700 | [diff] [blame] | 23 | # Inherit and use pty created by android_fork_execvp() |
| 24 | allow sgdisk devpts:chr_file { read write ioctl getattr }; |
| 25 | |
Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 26 | # Allow stdin/out back to vold |
| 27 | allow sgdisk vold:fd use; |
| 28 | allow sgdisk vold:fifo_file { read write getattr }; |
| 29 | |
Jeff Sharkey | 8188830 | 2015-03-31 18:10:19 -0700 | [diff] [blame] | 30 | # Used to probe kernel to reload partition tables |
Benjamin Gordon | 9b2e0cb | 2017-11-09 15:51:26 -0700 | [diff] [blame] | 31 | allow sgdisk self:global_capability_class_set sys_admin; |
Jeff Sharkey | 8188830 | 2015-03-31 18:10:19 -0700 | [diff] [blame] | 32 | |
Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 33 | # Only allow entry from vold |
| 34 | neverallow { domain -vold } sgdisk:process transition; |
Nick Kralevich | 35a1451 | 2016-02-05 14:48:03 -0800 | [diff] [blame] | 35 | neverallow * sgdisk:process dyntransition; |
Jeff Sharkey | f063f46 | 2015-03-27 11:25:39 -0700 | [diff] [blame] | 36 | neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; |