1# Any toolbox command run by init. 2# Do NOT use this domain for toolbox when run by any other domain. 3type toolbox, domain; 4type toolbox_exec, system_file_type, exec_type, file_type; 5 6# /dev/__null__ created by init prior to policy load, 7# open fd inherited by fsck. 8allow toolbox tmpfs:chr_file { read write ioctl }; 9 10# Inherit and use pty created by android_fork_execvp_ext(). 11allow toolbox devpts:chr_file { read write getattr ioctl }; 12 13# mkswap-specific. 14# Read/write block devices used for swap partitions. 15# Assign swap_block_device type any such partition in your 16# device/<vendor>/<product>/sepolicy/file_contexts file. 17allow toolbox block_device:dir search; 18allow toolbox swap_block_device:blk_file rw_file_perms; 19 20# Only allow entry from init via the toolbox binary. 21neverallow { domain -init } toolbox:process transition; 22neverallow * toolbox:process dyntransition; 23neverallow toolbox { file_type fs_type -toolbox_exec}:file entrypoint; 24 25# rm -rf /data/per_boot 26allow toolbox system_data_root_file:dir { remove_name write }; 27allow toolbox system_data_file:dir { rmdir rw_dir_perms }; 28allow toolbox system_data_file:file { getattr unlink }; 29 30# chattr +F /data/media in init 31allow toolbox media_userdir_file:dir { r_dir_perms setattr }; 32allowxperm toolbox media_userdir_file:dir ioctl { FS_IOC_SETFLAGS FS_IOC_GETFLAGS }; 33