-
Alex Klyubin authored
This leaves only the existence of blkid and blkid_untrusted domains as public API. All other rules are implementation details of these domains' policy and are thus now private. Test: No change to policy according to sesearch, except for disappearance of all allow rules to do with blkid_current and blkid_untrusted_current (as expected). Bug: 31364497 Change-Id: I0dda2feeb64608b204006eecd8a7c9b9c7bb2b8183ac242f
blkid_untrusted.te 1.03 KiB
# blkid for untrusted block devices
# Allowed read-only access to vold block devices to extract UUID/label
allow blkid_untrusted block_device:dir search;
allow blkid_untrusted vold_device:blk_file r_file_perms;
# Allow stdin/out back to vold
allow blkid_untrusted vold:fd use;
allow blkid_untrusted vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid_untrusted blkid_exec:file rx_file_perms;
###
### neverallow rules
###
# Untrusted blkid should never be run on block devices holding sensitive data
neverallow blkid_untrusted {
boot_block_device
frp_block_device
metadata_block_device
recovery_block_device
root_block_device
swap_block_device
system_block_device
userdata_block_device
cache_block_device
dm_device
}:blk_file no_rw_file_perms;
# Only allow entry from vold via blkid binary
neverallow { domain -vold } blkid_untrusted:process transition;
neverallow * blkid_untrusted:process dyntransition;
neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;