-
Nick Kralevich authored
Modify many "neverallow domain" rules to be "neverallow *" rules instead. This will catch more SELinux policy bugs where a label is assigned an irrelevant rule, as well as catch situations where a domain attribute is not assigned to a process. Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf
Nick Kralevich authoredModify many "neverallow domain" rules to be "neverallow *" rules instead. This will catch more SELinux policy bugs where a label is assigned an irrelevant rule, as well as catch situations where a domain attribute is not assigned to a process. Change-Id: I5b83a2504c13b384f9dff616a70ca733b648ccdf
blkid.te 708 B
# blkid called from vold
type blkid, domain, domain_deprecated;
type blkid_exec, exec_type, file_type;
# Allowed read-only access to encrypted devices to extract UUID/label
allow blkid block_device:dir search;
allow blkid userdata_block_device:blk_file r_file_perms;
allow blkid dm_device:blk_file r_file_perms;
# Allow stdin/out back to vold
allow blkid vold:fd use;
allow blkid vold:fifo_file { read write getattr };
# For blkid launched through popen()
allow blkid blkid_exec:file rx_file_perms;
# Only allow entry from vold
neverallow { domain -vold } blkid:process transition;
neverallow * blkid:process dyntransition;
neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint;