-
Nick Kralevich authored
Start enforcing the use of ioctl restrictions on all Android block devices. Domains which perform ioctls on block devices must be explicit about what ioctls they issue. The only ioctls allowed by default are BLKGETSIZE64, BLKSSZGET, FIOCLEX, and FIONCLEX. Test: device boots and no problems. Change-Id: I1195756b20cf2b50bede1eb04a48145a97a35867
4c8eaba7
e2fs.te 775 B
type e2fs, domain, coredomain;
type e2fs_exec, system_file_type, exec_type, file_type;
allow e2fs devpts:chr_file { read write getattr ioctl };
allow e2fs dev_type:blk_file getattr;
allow e2fs block_device:dir search;
allow e2fs userdata_block_device:blk_file rw_file_perms;
allow e2fs metadata_block_device:blk_file rw_file_perms;
allowxperm e2fs { userdata_block_device metadata_block_device }:blk_file ioctl {
BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET
};
allow e2fs {
proc_filesystems
proc_mounts
proc_swaps
}:file r_file_perms;
# access /sys/fs/ext4/features
allow e2fs sysfs_fs_ext4_features:dir search;
allow e2fs sysfs_fs_ext4_features:file r_file_perms;
# access SELinux context files
allow e2fs file_contexts_file:file r_file_perms;