blob: 59c3a9c73cfe2686245515d7baa91576fe9a3c54 [file] [log] [blame]
Stephen Smalley8a0c25e2014-09-23 09:11:30 -04001# Any toolbox command run by init.
2# At present, the only known usage is for running mkswap via fs_mgr.
3# Do NOT use this domain for toolbox when run by any other domain.
Jeff Vander Stoepc83b6882016-09-12 21:19:22 -07004type toolbox, domain;
Stephen Smalley8a0c25e2014-09-23 09:11:30 -04005type toolbox_exec, exec_type, file_type;
Stephen Smalley8a0c25e2014-09-23 09:11:30 -04006
Stephen Smalley8a0c25e2014-09-23 09:11:30 -04007# /dev/__null__ created by init prior to policy load,
8# open fd inherited by fsck.
9allow toolbox tmpfs:chr_file { read write ioctl };
10
11# Inherit and use pty created by android_fork_execvp_ext().
Nick Kralevichd94b78c2014-12-19 16:19:05 -080012allow toolbox devpts:chr_file { read write getattr ioctl };
Stephen Smalley8a0c25e2014-09-23 09:11:30 -040013
14# mkswap-specific.
15# Read/write block devices used for swap partitions.
16# Assign swap_block_device type any such partition in your
17# device/<vendor>/<product>/sepolicy/file_contexts file.
Nick Kralevich0bc6c802014-12-19 17:21:52 -080018allow toolbox block_device:dir search;
Stephen Smalley8a0c25e2014-09-23 09:11:30 -040019allow toolbox swap_block_device:blk_file rw_file_perms;
20
21# Only allow entry from init via the toolbox binary.
22neverallow { domain -init } toolbox:process transition;
Nick Kralevich35a14512016-02-05 14:48:03 -080023neverallow * toolbox:process dyntransition;
Stephen Smalley8a0c25e2014-09-23 09:11:30 -040024neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint;