1# sgdisk called from vold 2type sgdisk, domain; 3type sgdisk_exec, system_file_type, exec_type, file_type; 4 5# Allowed to read/write low-level partition tables 6allow sgdisk block_device:dir search; 7allow sgdisk vold_device:blk_file rw_file_perms; 8# HDIO_GETGEO needed to get the number of disk heads 9# on vold_device. How quaint. 10allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO }; 11# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64 12# is granted to all block device users in domain.te, so 13# no need to mention it here. sgdisk should not be 14# using the BLKGETSIZE ioctl as it is useless for devices over 15# 2T in size, but we allow it for now and hope that sgdisk 16# will fix their bug. 17allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE }; 18# Force a re-read of the partition table. 19allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART }; 20# Allow reading of the physical block size. 21allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET }; 22 23# Inherit and use pty created by android_fork_execvp() 24allow sgdisk devpts:chr_file { read write ioctl getattr }; 25 26# Allow stdin/out back to vold 27allow sgdisk vold:fd use; 28allow sgdisk vold:fifo_file { read write getattr }; 29 30# Used to probe kernel to reload partition tables 31allow sgdisk self:global_capability_class_set sys_admin; 32 33# Only allow entry from vold 34neverallow { domain -vold } sgdisk:process transition; 35neverallow * sgdisk:process dyntransition; 36neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint; 37