1# Any fsck program run by init 2type fsck, domain; 3type fsck_exec, exec_type, file_type; 4 5init_daemon_domain(fsck) 6 7# /dev/__null__ created by init prior to policy load, 8# open fd inherited by fsck. 9allow fsck tmpfs:chr_file { read write ioctl }; 10 11# Inherit and use pty created by android_fork_execvp_ext(). 12allow fsck devpts:chr_file { read write ioctl getattr }; 13 14# Allow stdin/out back to vold 15allow fsck vold:fd use; 16allow fsck vold:fifo_file { read write getattr }; 17 18# Run fsck on certain block devices 19allow fsck block_device:dir search; 20allow fsck userdata_block_device:blk_file rw_file_perms; 21allow fsck cache_block_device:blk_file rw_file_perms; 22allow fsck dm_device:blk_file rw_file_perms; 23 24### 25### neverallow rules 26### 27 28# fsck should never be run on these block devices 29neverallow fsck { 30 boot_block_device 31 frp_block_device 32 metadata_block_device 33 recovery_block_device 34 root_block_device 35 swap_block_device 36 system_block_device 37 vold_device 38}:blk_file no_rw_file_perms; 39 40# Only allow entry from init or vold via fsck binaries 41neverallow { domain -init -vold } fsck:process transition; 42neverallow domain fsck:process dyntransition; 43neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint; 44