1*e4a36f41SAndroid Build Coastguard Worker# sgdisk called from vold 2*e4a36f41SAndroid Build Coastguard Workertype sgdisk, domain; 3*e4a36f41SAndroid Build Coastguard Workertype sgdisk_exec, system_file_type, exec_type, file_type; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# Allowed to read/write low-level partition tables 6*e4a36f41SAndroid Build Coastguard Workerallow sgdisk block_device:dir search; 7*e4a36f41SAndroid Build Coastguard Workerallow sgdisk vold_device:blk_file rw_file_perms; 8*e4a36f41SAndroid Build Coastguard Worker# HDIO_GETGEO needed to get the number of disk heads 9*e4a36f41SAndroid Build Coastguard Worker# on vold_device. How quaint. 10*e4a36f41SAndroid Build Coastguard Workerallowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO }; 11*e4a36f41SAndroid Build Coastguard Worker# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64 12*e4a36f41SAndroid Build Coastguard Worker# is granted to all block device users in domain.te, so 13*e4a36f41SAndroid Build Coastguard Worker# no need to mention it here. sgdisk should not be 14*e4a36f41SAndroid Build Coastguard Worker# using the BLKGETSIZE ioctl as it is useless for devices over 15*e4a36f41SAndroid Build Coastguard Worker# 2T in size, but we allow it for now and hope that sgdisk 16*e4a36f41SAndroid Build Coastguard Worker# will fix their bug. 17*e4a36f41SAndroid Build Coastguard Workerallowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE }; 18*e4a36f41SAndroid Build Coastguard Worker# Force a re-read of the partition table. 19*e4a36f41SAndroid Build Coastguard Workerallowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART }; 20*e4a36f41SAndroid Build Coastguard Worker# Allow reading of the physical block size. 21*e4a36f41SAndroid Build Coastguard Workerallowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET }; 22*e4a36f41SAndroid Build Coastguard Worker 23*e4a36f41SAndroid Build Coastguard Worker# Inherit and use pty created by android_fork_execvp() 24*e4a36f41SAndroid Build Coastguard Workerallow sgdisk devpts:chr_file { read write ioctl getattr }; 25*e4a36f41SAndroid Build Coastguard Worker 26*e4a36f41SAndroid Build Coastguard Worker# Allow stdin/out back to vold 27*e4a36f41SAndroid Build Coastguard Workerallow sgdisk vold:fd use; 28*e4a36f41SAndroid Build Coastguard Workerallow sgdisk vold:fifo_file { read write getattr }; 29*e4a36f41SAndroid Build Coastguard Worker 30*e4a36f41SAndroid Build Coastguard Worker# Used to probe kernel to reload partition tables 31*e4a36f41SAndroid Build Coastguard Workerallow sgdisk self:global_capability_class_set sys_admin; 32*e4a36f41SAndroid Build Coastguard Worker 33*e4a36f41SAndroid Build Coastguard Worker# Only allow entry from vold 34*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -vold } sgdisk:process transition; 35*e4a36f41SAndroid Build Coastguard Workerneverallow * sgdisk:process dyntransition; 36*e4a36f41SAndroid Build Coastguard Workerneverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; 37