1# blkid called from vold 2type blkid, domain, domain_deprecated; 3type blkid_exec, exec_type, file_type; 4 5# Allowed read-only access to encrypted devices to extract UUID/label 6allow blkid block_device:dir search; 7allow blkid userdata_block_device:blk_file r_file_perms; 8allow blkid dm_device:blk_file r_file_perms; 9 10# Allow stdin/out back to vold 11allow blkid vold:fd use; 12allow blkid vold:fifo_file { read write getattr }; 13 14# For blkid launched through popen() 15allow blkid blkid_exec:file rx_file_perms; 16 17# Only allow entry from vold 18neverallow { domain -vold } blkid:process transition; 19neverallow * blkid:process dyntransition; 20neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; 21