1*e4a36f41SAndroid Build Coastguard Worker# blkid for untrusted block devices 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workertypeattribute blkid_untrusted coredomain; 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# Allowed read-only access to vold block devices to extract UUID/label 6*e4a36f41SAndroid Build Coastguard Workerallow blkid_untrusted block_device:dir search; 7*e4a36f41SAndroid Build Coastguard Workerallow blkid_untrusted vold_device:blk_file r_file_perms; 8*e4a36f41SAndroid Build Coastguard Worker 9*e4a36f41SAndroid Build Coastguard Worker# Allow stdin/out back to vold 10*e4a36f41SAndroid Build Coastguard Workerallow blkid_untrusted vold:fd use; 11*e4a36f41SAndroid Build Coastguard Workerallow blkid_untrusted vold:fifo_file { read write getattr }; 12*e4a36f41SAndroid Build Coastguard Worker 13*e4a36f41SAndroid Build Coastguard Worker# For blkid launched through popen() 14*e4a36f41SAndroid Build Coastguard Workerallow blkid_untrusted blkid_exec:file rx_file_perms; 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Worker### 17*e4a36f41SAndroid Build Coastguard Worker### neverallow rules 18*e4a36f41SAndroid Build Coastguard Worker### 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker# Untrusted blkid should never be run on block devices holding sensitive data 21*e4a36f41SAndroid Build Coastguard Workerneverallow blkid_untrusted { 22*e4a36f41SAndroid Build Coastguard Worker boot_block_device 23*e4a36f41SAndroid Build Coastguard Worker frp_block_device 24*e4a36f41SAndroid Build Coastguard Worker metadata_block_device 25*e4a36f41SAndroid Build Coastguard Worker recovery_block_device 26*e4a36f41SAndroid Build Coastguard Worker root_block_device 27*e4a36f41SAndroid Build Coastguard Worker swap_block_device 28*e4a36f41SAndroid Build Coastguard Worker system_block_device 29*e4a36f41SAndroid Build Coastguard Worker userdata_block_device 30*e4a36f41SAndroid Build Coastguard Worker cache_block_device 31*e4a36f41SAndroid Build Coastguard Worker dm_device 32*e4a36f41SAndroid Build Coastguard Worker}:blk_file no_rw_file_perms; 33*e4a36f41SAndroid Build Coastguard Worker 34*e4a36f41SAndroid Build Coastguard Worker# Only allow entry from vold via blkid binary 35*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -vold } blkid_untrusted:process transition; 36*e4a36f41SAndroid Build Coastguard Workerneverallow * blkid_untrusted:process dyntransition; 37*e4a36f41SAndroid Build Coastguard Workerneverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; 38