-
Stephen Smalley authored
Addresses denials such as: avc: denied { search } for pid=143 comm="e2fsck" name="block" dev="tmpfs" ino=5987 scontext=u:r:fsck:s0 tcontext=u:object_r:block_device:s0 tclass=dir Change-Id: Ieb72fc5e28146530c2f3b235ce74f2f397e49c56 Signed-off-by:Stephen Smalley <sds@tycho.nsa.gov>
Stephen Smalley authoredAddresses denials such as: avc: denied { search } for pid=143 comm="e2fsck" name="block" dev="tmpfs" ino=5987 scontext=u:r:fsck:s0 tcontext=u:object_r:block_device:s0 tclass=dir Change-Id: Ieb72fc5e28146530c2f3b235ce74f2f397e49c56 Signed-off-by:
fsck.te 777 B
# e2fsck or any other fsck program run by init.
type fsck, domain;
type fsck_exec, exec_type, file_type;
init_daemon_domain(fsck)
# /dev/__null__ created by init prior to policy load,
# open fd inherited by fsck.
allow fsck tmpfs:chr_file { read write ioctl };
# Inherit and use pty created by android_fork_execvp_ext().
allow fsck devpts:chr_file { read write ioctl getattr };
# Run e2fsck on block devices.
allow fsck block_device:dir search;
allow fsck userdata_block_device:blk_file rw_file_perms;
allow fsck cache_block_device:blk_file rw_file_perms;
# Only allow entry from init via the e2fsck binary.
neverallow { domain -init } fsck:process transition;
neverallow domain fsck:process dyntransition;
neverallow fsck { file_type fs_type -fsck_exec}:file entrypoint;