Remove block_device:blk_file access from fsck.

Now that we have assigned specific types to userdata and cache block devices, we can remove the ability of fsck to run on other block devices. Change-Id: I8cfb3dc0e4ebe6b73346ff291ecb11397bb0c2d0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Remove block_device:blk_file access from fsck.
Now that we have assigned specific types to userdata and cache block devices, we can remove the ability of fsck to run on other block devices. Change-Id: I8cfb3dc0e4ebe6b73346ff291ecb11397bb0c2d0 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
3da1ffba · Stephen Smalley · Nick Kralevich · beb279c7 · 3da1ffba · 3da1ffba
Commit 3da1ffba authored 10 years ago by Stephen Smalley Committed by Nick Kralevich 10 years ago
--- a/domain.te
+++ b/domain.te
@@ -254,7 +254,7 @@ neverallow domain init:binder *;

 # Don't allow raw read/write/open access to block_device
 # Rather force a relabel to a more specific type
-neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery -fsck } block_device:blk_file { open read write };
+neverallow { domain -kernel -init -recovery -vold -uncrypt -install_recovery } block_device:blk_file { open read write };

 # Don't allow raw read/write/open access to generic devices.
 # Rather force a relabel to a more specific type.

--- a/fsck.te
+++ b/fsck.te
@@ -13,10 +13,6 @@ allow fsck tmpfs:chr_file { read write ioctl };
 allow fsck devpts:chr_file { read write ioctl getattr };

 # Run e2fsck on block devices.
-# TODO:  Assign userdata and cache block device types to the corresponding
-# block devices in all device policies, and then remove access to
-# block_device:blk_file from here.
-allow fsck block_device:blk_file rw_file_perms;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;