# Any fsck program run by init type fsck, domain; type fsck_exec, exec_type, file_type; # /dev/__null__ created by init prior to policy load, # open fd inherited by fsck. allow fsck tmpfs:chr_file { read write ioctl }; # Inherit and use pty created by android_fork_execvp_ext(). allow fsck devpts:chr_file { read write ioctl getattr }; # Allow stdin/out back to vold allow fsck vold:fd use; allow fsck vold:fifo_file { read write getattr }; # Run fsck on certain block devices allow fsck block_device:dir search; allow fsck userdata_block_device:blk_file rw_file_perms; allow fsck cache_block_device:blk_file rw_file_perms; allow fsck dm_device:blk_file rw_file_perms; # To determine if it is safe to run fsck on a filesystem, e2fsck # must first determine if the filesystem is mounted. To do that, # e2fsck scans through /proc/mounts and collects all the mounted # block devices. With that information, it runs stat() on each block # device, comparing the major and minor numbers to the filesystem # passed in on the command line. If there is a match, then the filesystem # is currently mounted and running fsck is dangerous. # Allow stat access to all block devices so that fsck can compare # major/minor values. allow fsck dev_type:blk_file getattr; r_dir_file(fsck, proc) allow fsck rootfs:dir r_dir_perms; ### ### neverallow rules ### # fsck should never be run on these block devices neverallow fsck { boot_block_device frp_block_device metadata_block_device recovery_block_device root_block_device swap_block_device system_block_device vold_device }:blk_file no_rw_file_perms; # Only allow entry from init or vold via fsck binaries neverallow { domain -init -vold } fsck:process transition; neverallow * fsck:process dyntransition; neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;