1# Any fsck program run by init 2type fsck, domain, domain_deprecated; 3type fsck_exec, exec_type, file_type; 4 5init_daemon_domain(fsck) 6 7# /dev/__null__ created by init prior to policy load, 8# open fd inherited by fsck. 9allow fsck tmpfs:chr_file { read write ioctl }; 10 11# Inherit and use pty created by android_fork_execvp_ext(). 12allow fsck devpts:chr_file { read write ioctl getattr }; 13 14# Allow stdin/out back to vold 15allow fsck vold:fd use; 16allow fsck vold:fifo_file { read write getattr }; 17 18# Run fsck on certain block devices 19allow fsck block_device:dir search; 20allow fsck userdata_block_device:blk_file rw_file_perms; 21allow fsck cache_block_device:blk_file rw_file_perms; 22allow fsck dm_device:blk_file rw_file_perms; 23 24# fsck performs a stat() on swap to verify that it is a valid 25# swap device before setting the EXT2_MF_SWAP mount flag. 26allow fsck swap_block_device:blk_file getattr; 27 28### 29### neverallow rules 30### 31 32# fsck should never be run on these block devices 33neverallow fsck { 34 boot_block_device 35 frp_block_device 36 metadata_block_device 37 recovery_block_device 38 root_block_device 39 swap_block_device 40 system_block_device 41 vold_device 42}:blk_file no_rw_file_perms; 43 44# Only allow entry from init or vold via fsck binaries 45neverallow { domain -init -vold } fsck:process transition; 46neverallow * fsck:process dyntransition; 47neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint; 48