• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# sgdisk called from vold
2type sgdisk, domain;
3type sgdisk_exec, system_file_type, exec_type, file_type;
4
5# Allowed to read/write low-level partition tables
6allow sgdisk block_device:dir search;
7allow sgdisk vold_device:blk_file rw_file_perms;
8# HDIO_GETGEO needed to get the number of disk heads
9# on vold_device. How quaint.
10allowxperm sgdisk vold_device:blk_file ioctl { HDIO_GETGEO };
11# sgdisk also uses BLKGETSIZE and BLKGETSIZE64. BLKGETSIZE64
12# is granted to all block device users in domain.te, so
13# no need to mention it here. sgdisk should not be
14# using the BLKGETSIZE ioctl as it is useless for devices over
15# 2T in size, but we allow it for now and hope that sgdisk
16# will fix their bug.
17allowxperm sgdisk vold_device:blk_file ioctl { BLKGETSIZE };
18# Force a re-read of the partition table.
19allowxperm sgdisk vold_device:blk_file ioctl { BLKRRPART };
20# Allow reading of the physical block size.
21allowxperm sgdisk vold_device:blk_file ioctl { BLKPBSZGET };
22
23# Inherit and use pty created by android_fork_execvp()
24allow sgdisk devpts:chr_file { read write ioctl getattr };
25
26# Allow stdin/out back to vold
27allow sgdisk vold:fd use;
28allow sgdisk vold:fifo_file { read write getattr };
29
30# Used to probe kernel to reload partition tables
31allow sgdisk self:global_capability_class_set sys_admin;
32
33# Only allow entry from vold
34neverallow { domain -vold } sgdisk:process transition;
35neverallow * sgdisk:process dyntransition;
36neverallow sgdisk { file_type fs_type -sgdisk_exec }:file entrypoint;
37