xref: /aosp_15_r20/system/sepolicy/private/fsck_untrusted.te (revision e4a36f4174b17bbab9dc043f4a65dc8d87377290) 
1typeattribute fsck_untrusted coredomain;
2
3use_bootstrap_libs(fsck)
4
5# Inherit and use pty created by android_fork_execvp_ext().
6allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
7
8# Allow stdin/out back to vold
9allow fsck_untrusted vold:fd use;
10allow fsck_untrusted vold:fifo_file { read write getattr };
11
12# Run fsck on vold block devices
13allow fsck_untrusted block_device:dir search;
14allow fsck_untrusted vold_device:blk_file rw_file_perms;
15
16allow fsck_untrusted proc_mounts:file r_file_perms;
17
18# To determine if it is safe to run fsck on a filesystem, e2fsck
19# must first determine if the filesystem is mounted. To do that,
20# e2fsck scans through /proc/mounts and collects all the mounted
21# block devices. With that information, it runs stat() on each block
22# device, comparing the major and minor numbers to the filesystem
23# passed in on the command line. If there is a match, then the filesystem
24# is currently mounted and running fsck is dangerous.
25# Allow stat access to all block devices so that fsck can compare
26# major/minor values.
27allow fsck_untrusted dev_type:blk_file getattr;
28
29###
30### neverallow rules
31###
32
33# Untrusted fsck should never be run on block devices holding sensitive data
34neverallow fsck_untrusted {
35  boot_block_device
36  frp_block_device
37  metadata_block_device
38  recovery_block_device
39  root_block_device
40  swap_block_device
41  system_block_device
42  userdata_block_device
43  cache_block_device
44  dm_device
45}:blk_file no_rw_file_perms;
46
47# Only allow entry from vold via fsck binaries
48neverallow { domain -vold } fsck_untrusted:process transition;
49neverallow * fsck_untrusted:process dyntransition;
50neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
51
52# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
53# permissions, that is a code mistake that needs to be fixed, not a permission that
54# should be granted. Same with setgid and setuid.
55neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
56
57###
58### dontaudit rules
59###
60
61# Ignores attempts to access sysfs. fsck binaries seem to like trying to go
62# here, but nothing bad happens if they can't, and they shouldn't be allowed.
63dontaudit fsck_untrusted sysfs:file rw_file_perms;
64dontaudit fsck_untrusted sysfs_dm:file rw_file_perms;
65dontaudit fsck_untrusted sysfs_dm:dir rw_dir_perms;
66
67# Ignore attempts to access tmpfs. fsck don't need to do this.
68dontaudit fsck_untrusted tmpfs:lnk_file read;
69