• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# Any fsck program run by init
2type fsck, domain, domain_deprecated;
3type fsck_exec, exec_type, file_type;
4
5init_daemon_domain(fsck)
6
7# /dev/__null__ created by init prior to policy load,
8# open fd inherited by fsck.
9allow fsck tmpfs:chr_file { read write ioctl };
10
11# Inherit and use pty created by android_fork_execvp_ext().
12allow fsck devpts:chr_file { read write ioctl getattr };
13
14# Allow stdin/out back to vold
15allow fsck vold:fd use;
16allow fsck vold:fifo_file { read write getattr };
17
18# Run fsck on certain block devices
19allow fsck block_device:dir search;
20allow fsck userdata_block_device:blk_file rw_file_perms;
21allow fsck cache_block_device:blk_file rw_file_perms;
22allow fsck dm_device:blk_file rw_file_perms;
23
24# fsck performs a stat() on swap to verify that it is a valid
25# swap device before setting the EXT2_MF_SWAP mount flag.
26allow fsck swap_block_device:blk_file getattr;
27
28###
29### neverallow rules
30###
31
32# fsck should never be run on these block devices
33neverallow fsck {
34  boot_block_device
35  frp_block_device
36  metadata_block_device
37  recovery_block_device
38  root_block_device
39  swap_block_device
40  system_block_device
41  vold_device
42}:blk_file no_rw_file_perms;
43
44# Only allow entry from init or vold via fsck binaries
45neverallow { domain -init -vold } fsck:process transition;
46neverallow * fsck:process dyntransition;
47neverallow fsck { file_type fs_type -fsck_exec }:file entrypoint;
48