1# Any fsck program run on untrusted block devices 2type fsck_untrusted, domain; 3 4# Inherit and use pty created by android_fork_execvp_ext(). 5allow fsck_untrusted devpts:chr_file { read write ioctl getattr }; 6 7# Allow stdin/out back to vold 8allow fsck_untrusted vold:fd use; 9allow fsck_untrusted vold:fifo_file { read write getattr }; 10 11# Run fsck on vold block devices 12allow fsck_untrusted block_device:dir search; 13allow fsck_untrusted vold_device:blk_file rw_file_perms; 14 15r_dir_file(fsck_untrusted, proc) 16 17# To determine if it is safe to run fsck on a filesystem, e2fsck 18# must first determine if the filesystem is mounted. To do that, 19# e2fsck scans through /proc/mounts and collects all the mounted 20# block devices. With that information, it runs stat() on each block 21# device, comparing the major and minor numbers to the filesystem 22# passed in on the command line. If there is a match, then the filesystem 23# is currently mounted and running fsck is dangerous. 24# Allow stat access to all block devices so that fsck can compare 25# major/minor values. 26allow fsck_untrusted dev_type:blk_file getattr; 27 28### 29### neverallow rules 30### 31 32# Untrusted fsck should never be run on block devices holding sensitive data 33neverallow fsck_untrusted { 34 boot_block_device 35 frp_block_device 36 metadata_block_device 37 recovery_block_device 38 root_block_device 39 swap_block_device 40 system_block_device 41 userdata_block_device 42 cache_block_device 43 dm_device 44}:blk_file no_rw_file_perms; 45 46# Only allow entry from vold via fsck binaries 47neverallow { domain -vold } fsck_untrusted:process transition; 48neverallow * fsck_untrusted:process dyntransition; 49neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint; 50