1*e4a36f41SAndroid Build Coastguard Worker# blkid called from vold 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workertypeattribute blkid coredomain; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Workertype blkid_exec, system_file_type, exec_type, file_type; 6*e4a36f41SAndroid Build Coastguard Worker 7*e4a36f41SAndroid Build Coastguard Worker# Allowed read-only access to encrypted devices to extract UUID/label 8*e4a36f41SAndroid Build Coastguard Workerallow blkid block_device:dir search; 9*e4a36f41SAndroid Build Coastguard Workerallow blkid userdata_block_device:blk_file r_file_perms; 10*e4a36f41SAndroid Build Coastguard Workerallow blkid dm_device:blk_file r_file_perms; 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Worker# Allow stdin/out back to vold 13*e4a36f41SAndroid Build Coastguard Workerallow blkid vold:fd use; 14*e4a36f41SAndroid Build Coastguard Workerallow blkid vold:fifo_file { read write getattr }; 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker# For blkid launched through popen() 17*e4a36f41SAndroid Build Coastguard Workerallow blkid blkid_exec:file rx_file_perms; 18*e4a36f41SAndroid Build Coastguard Worker 19*e4a36f41SAndroid Build Coastguard Worker# Only allow entry from vold 20*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -vold } blkid:process transition; 21*e4a36f41SAndroid Build Coastguard Workerneverallow * blkid:process dyntransition; 22*e4a36f41SAndroid Build Coastguard Workerneverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; 23