1typeattribute sgdisk coredomain; 2 3# Allowed to read/write low-level partition tables 4allow sgdisk block_device:dir search; 5allow sgdisk vold_device:blk_file rw_file_perms; 6# HDIO_GETGEO needed to get the number of disk heads 7# on vold_device. How quaint. 8allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO }; 9# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64 10# is granted to all block device users in domain.te, so 11# no need to mention it here. sgdisk should not be 12# using the BLKGETSIZE ioctl as it is useless for devices over 13# 2T in size, but we allow it for now and hope that sgdisk 14# will fix their bug. 15allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE }; 16# Force a re-read of the partition table. 17allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART }; 18# Allow reading of the physical block size. 19allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET }; 20 21# Inherit and use pty created by android_fork_execvp() 22allow sgdisk devpts:chr_file { read write ioctl getattr }; 23 24# Allow stdin/out back to vold 25allow sgdisk vold:fd use; 26allow sgdisk vold:fifo_file { read write getattr }; 27 28# Used to probe kernel to reload partition tables 29allow sgdisk self:global_capability_class_set sys_admin; 30 31### 32### Neverallow rules 33### 34 35# Only allow entry from vold 36neverallow { domain -vold } sgdisk:process transition; 37neverallow * sgdisk:process dyntransition; 38neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; 39