1*e4a36f41SAndroid Build Coastguard Workertypeattribute fsck_untrusted coredomain; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Workeruse_bootstrap_libs(fsck) 4*e4a36f41SAndroid Build Coastguard Worker 5*e4a36f41SAndroid Build Coastguard Worker# Inherit and use pty created by android_fork_execvp_ext(). 6*e4a36f41SAndroid Build Coastguard Workerallow fsck_untrusted devpts:chr_file { read write ioctl getattr }; 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker# Allow stdin/out back to vold 9*e4a36f41SAndroid Build Coastguard Workerallow fsck_untrusted vold:fd use; 10*e4a36f41SAndroid Build Coastguard Workerallow fsck_untrusted vold:fifo_file { read write getattr }; 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Worker# Run fsck on vold block devices 13*e4a36f41SAndroid Build Coastguard Workerallow fsck_untrusted block_device:dir search; 14*e4a36f41SAndroid Build Coastguard Workerallow fsck_untrusted vold_device:blk_file rw_file_perms; 15*e4a36f41SAndroid Build Coastguard Worker 16*e4a36f41SAndroid Build Coastguard Workerallow fsck_untrusted proc_mounts:file r_file_perms; 17*e4a36f41SAndroid Build Coastguard Worker 18*e4a36f41SAndroid Build Coastguard Worker# To determine if it is safe to run fsck on a filesystem, e2fsck 19*e4a36f41SAndroid Build Coastguard Worker# must first determine if the filesystem is mounted. To do that, 20*e4a36f41SAndroid Build Coastguard Worker# e2fsck scans through /proc/mounts and collects all the mounted 21*e4a36f41SAndroid Build Coastguard Worker# block devices. With that information, it runs stat() on each block 22*e4a36f41SAndroid Build Coastguard Worker# device, comparing the major and minor numbers to the filesystem 23*e4a36f41SAndroid Build Coastguard Worker# passed in on the command line. If there is a match, then the filesystem 24*e4a36f41SAndroid Build Coastguard Worker# is currently mounted and running fsck is dangerous. 25*e4a36f41SAndroid Build Coastguard Worker# Allow stat access to all block devices so that fsck can compare 26*e4a36f41SAndroid Build Coastguard Worker# major/minor values. 27*e4a36f41SAndroid Build Coastguard Workerallow fsck_untrusted dev_type:blk_file getattr; 28*e4a36f41SAndroid Build Coastguard Worker 29*e4a36f41SAndroid Build Coastguard Worker### 30*e4a36f41SAndroid Build Coastguard Worker### neverallow rules 31*e4a36f41SAndroid Build Coastguard Worker### 32*e4a36f41SAndroid Build Coastguard Worker 33*e4a36f41SAndroid Build Coastguard Worker# Untrusted fsck should never be run on block devices holding sensitive data 34*e4a36f41SAndroid Build Coastguard Workerneverallow fsck_untrusted { 35*e4a36f41SAndroid Build Coastguard Worker boot_block_device 36*e4a36f41SAndroid Build Coastguard Worker frp_block_device 37*e4a36f41SAndroid Build Coastguard Worker metadata_block_device 38*e4a36f41SAndroid Build Coastguard Worker recovery_block_device 39*e4a36f41SAndroid Build Coastguard Worker root_block_device 40*e4a36f41SAndroid Build Coastguard Worker swap_block_device 41*e4a36f41SAndroid Build Coastguard Worker system_block_device 42*e4a36f41SAndroid Build Coastguard Worker userdata_block_device 43*e4a36f41SAndroid Build Coastguard Worker cache_block_device 44*e4a36f41SAndroid Build Coastguard Worker dm_device 45*e4a36f41SAndroid Build Coastguard Worker}:blk_file no_rw_file_perms; 46*e4a36f41SAndroid Build Coastguard Worker 47*e4a36f41SAndroid Build Coastguard Worker# Only allow entry from vold via fsck binaries 48*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -vold } fsck_untrusted:process transition; 49*e4a36f41SAndroid Build Coastguard Workerneverallow * fsck_untrusted:process dyntransition; 50*e4a36f41SAndroid Build Coastguard Workerneverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint; 51*e4a36f41SAndroid Build Coastguard Worker 52*e4a36f41SAndroid Build Coastguard Worker# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin 53*e4a36f41SAndroid Build Coastguard Worker# permissions, that is a code mistake that needs to be fixed, not a permission that 54*e4a36f41SAndroid Build Coastguard Worker# should be granted. Same with setgid and setuid. 55*e4a36f41SAndroid Build Coastguard Workerneverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin }; 56*e4a36f41SAndroid Build Coastguard Worker 57*e4a36f41SAndroid Build Coastguard Worker### 58*e4a36f41SAndroid Build Coastguard Worker### dontaudit rules 59*e4a36f41SAndroid Build Coastguard Worker### 60*e4a36f41SAndroid Build Coastguard Worker 61*e4a36f41SAndroid Build Coastguard Worker# Ignores attempts to access sysfs. fsck binaries seem to like trying to go 62*e4a36f41SAndroid Build Coastguard Worker# here, but nothing bad happens if they can't, and they shouldn't be allowed. 63*e4a36f41SAndroid Build Coastguard Workerdontaudit fsck_untrusted sysfs:file rw_file_perms; 64*e4a36f41SAndroid Build Coastguard Workerdontaudit fsck_untrusted sysfs_dm:file rw_file_perms; 65*e4a36f41SAndroid Build Coastguard Workerdontaudit fsck_untrusted sysfs_dm:dir rw_dir_perms; 66*e4a36f41SAndroid Build Coastguard Worker 67*e4a36f41SAndroid Build Coastguard Worker# Ignore attempts to access tmpfs. fsck don't need to do this. 68*e4a36f41SAndroid Build Coastguard Workerdontaudit fsck_untrusted tmpfs:lnk_file read; 69