am e491020f: Don\'t run fsck on certain block devices

* commit 'e491020f': Don't run fsck on certain block devices

am e491020f: Don\'t run fsck on certain block devices
* commit 'e491020f': Don't run fsck on certain block devices
c104cb6d · Nick Kralevich · Android Git Automerger · 64a8ede4 · e491020f · c104cb6d
Commit c104cb6d authored 10 years ago by Nick Kralevich Committed by Android Git Automerger 10 years ago
--- a/fsck.te
+++ b/fsck.te
@@ -16,6 +16,21 @@ allow fsck block_device:dir search;
 allow fsck userdata_block_device:blk_file rw_file_perms;
 allow fsck cache_block_device:blk_file rw_file_perms;
+###
+### neverallow rules
+###
+# fsck should never be run on these block devices
+neverallow fsck {
+  boot_block_device
+  frp_block_device
+  metadata_block_device
+  recovery_block_device
+  root_block_device
+  swap_block_device
+  system_block_device
+}:blk_file no_rw_file_perms;
 # Only allow entry from init via the e2fsck binary.
 neverallow { domain -init } fsck:process transition;
 neverallow domain fsck:process dyntransition;