1*e4a36f41SAndroid Build Coastguard Workertypeattribute sgdisk coredomain; 2*e4a36f41SAndroid Build Coastguard Worker 3*e4a36f41SAndroid Build Coastguard Worker# Allowed to read/write low-level partition tables 4*e4a36f41SAndroid Build Coastguard Workerallow sgdisk block_device:dir search; 5*e4a36f41SAndroid Build Coastguard Workerallow sgdisk vold_device:blk_file rw_file_perms; 6*e4a36f41SAndroid Build Coastguard Worker# HDIO_GETGEO needed to get the number of disk heads 7*e4a36f41SAndroid Build Coastguard Worker# on vold_device. How quaint. 8*e4a36f41SAndroid Build Coastguard Workerallowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO }; 9*e4a36f41SAndroid Build Coastguard Worker# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64 10*e4a36f41SAndroid Build Coastguard Worker# is granted to all block device users in domain.te, so 11*e4a36f41SAndroid Build Coastguard Worker# no need to mention it here. sgdisk should not be 12*e4a36f41SAndroid Build Coastguard Worker# using the BLKGETSIZE ioctl as it is useless for devices over 13*e4a36f41SAndroid Build Coastguard Worker# 2T in size, but we allow it for now and hope that sgdisk 14*e4a36f41SAndroid Build Coastguard Worker# will fix their bug. 15*e4a36f41SAndroid Build Coastguard Workerallowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE }; 16*e4a36f41SAndroid Build Coastguard Worker# Force a re-read of the partition table. 17*e4a36f41SAndroid Build Coastguard Workerallowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART }; 18*e4a36f41SAndroid Build Coastguard Worker# Allow reading of the physical block size. 19*e4a36f41SAndroid Build Coastguard Workerallowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET }; 20*e4a36f41SAndroid Build Coastguard Worker 21*e4a36f41SAndroid Build Coastguard Worker# Inherit and use pty created by android_fork_execvp() 22*e4a36f41SAndroid Build Coastguard Workerallow sgdisk devpts:chr_file { read write ioctl getattr }; 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker# Allow stdin/out back to vold 25*e4a36f41SAndroid Build Coastguard Workerallow sgdisk vold:fd use; 26*e4a36f41SAndroid Build Coastguard Workerallow sgdisk vold:fifo_file { read write getattr }; 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker# Used to probe kernel to reload partition tables 29*e4a36f41SAndroid Build Coastguard Workerallow sgdisk self:global_capability_class_set sys_admin; 30*e4a36f41SAndroid Build Coastguard Worker 31*e4a36f41SAndroid Build Coastguard Worker### 32*e4a36f41SAndroid Build Coastguard Worker### Neverallow rules 33*e4a36f41SAndroid Build Coastguard Worker### 34*e4a36f41SAndroid Build Coastguard Worker 35*e4a36f41SAndroid Build Coastguard Worker# Only allow entry from vold 36*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -vold } sgdisk:process transition; 37*e4a36f41SAndroid Build Coastguard Workerneverallow * sgdisk:process dyntransition; 38*e4a36f41SAndroid Build Coastguard Workerneverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; 39