1# sgdisk called from vold 2type sgdisk, domain; 3type sgdisk_exec, system_file_type, exec_type, file_type; 4 5# Allowed to read/write low-level partition tables 6allow sgdisk block_device:dir search; 7allow sgdisk vold_device:blk_file rw_file_perms; 8# HDIO_GETGEO needed to get the number of disk heads 9# on vold_device. How quaint. 10allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO }; 11# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64 12# is granted to all block device users in domain.te, so 13# no need to mention it here. sgdisk should not be 14# using the BLKGETSIZE ioctl as it is useless for devices over 15# 2T in size, but we allow it for now and hope that sgdisk 16# will fix their bug. 17allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE }; 18# Force a re-read of the partition table. 19allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART }; 20 21# Inherit and use pty created by android_fork_execvp() 22allow sgdisk devpts:chr_file { read write ioctl getattr }; 23 24# Allow stdin/out back to vold 25allow sgdisk vold:fd use; 26allow sgdisk vold:fifo_file { read write getattr }; 27 28# Used to probe kernel to reload partition tables 29allow sgdisk self:global_capability_class_set sys_admin; 30 31# Only allow entry from vold 32neverallow { domain -vold } sgdisk:process transition; 33neverallow * sgdisk:process dyntransition; 34neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; 35