Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 1 | # Any toolbox command run by init. |
| 2 | # At present, the only known usage is for running mkswap via fs_mgr. |
| 3 | # Do NOT use this domain for toolbox when run by any other domain. |
Jeff Vander Stoep | c83b688 | 2016-09-12 21:19:22 -0700 | [diff] [blame] | 4 | type toolbox, domain; |
Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 5 | type toolbox_exec, exec_type, file_type; |
Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 6 | |
Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 7 | # /dev/__null__ created by init prior to policy load, |
| 8 | # open fd inherited by fsck. |
| 9 | allow toolbox tmpfs:chr_file { read write ioctl }; |
| 10 | |
| 11 | # Inherit and use pty created by android_fork_execvp_ext(). |
Nick Kralevich | d94b78c | 2014-12-19 16:19:05 -0800 | [diff] [blame] | 12 | allow toolbox devpts:chr_file { read write getattr ioctl }; |
Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 13 | |
| 14 | # mkswap-specific. |
| 15 | # Read/write block devices used for swap partitions. |
| 16 | # Assign swap_block_device type any such partition in your |
| 17 | # device/<vendor>/<product>/sepolicy/file_contexts file. |
Nick Kralevich | 0bc6c80 | 2014-12-19 17:21:52 -0800 | [diff] [blame] | 18 | allow toolbox block_device:dir search; |
Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 19 | allow toolbox swap_block_device:blk_file rw_file_perms; |
| 20 | |
| 21 | # Only allow entry from init via the toolbox binary. |
| 22 | neverallow { domain -init } toolbox:process transition; |
Nick Kralevich | 35a1451 | 2016-02-05 14:48:03 -0800 | [diff] [blame] | 23 | neverallow * toolbox:process dyntransition; |
Stephen Smalley | 8a0c25e | 2014-09-23 09:11:30 -0400 | [diff] [blame] | 24 | neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint; |