diff options
Diffstat (limited to 'blkid_untrusted.te')
| -rw-r--r-- | blkid_untrusted.te | 36 |
1 files changed, 0 insertions, 36 deletions
diff --git a/blkid_untrusted.te b/blkid_untrusted.te deleted file mode 100644 index da3bdac..0000000 --- a/blkid_untrusted.te +++ /dev/null @@ -1,36 +0,0 @@ -# blkid for untrusted block devices -type blkid_untrusted, domain, domain_deprecated; - -# Allowed read-only access to vold block devices to extract UUID/label -allow blkid_untrusted block_device:dir search; -allow blkid_untrusted vold_device:blk_file r_file_perms; - -# Allow stdin/out back to vold -allow blkid_untrusted vold:fd use; -allow blkid_untrusted vold:fifo_file { read write getattr }; - -# For blkid launched through popen() -allow blkid_untrusted blkid_exec:file rx_file_perms; - -### -### neverallow rules -### - -# Untrusted blkid should never be run on block devices holding sensitive data -neverallow blkid_untrusted { - boot_block_device - frp_block_device - metadata_block_device - recovery_block_device - root_block_device - swap_block_device - system_block_device - userdata_block_device - cache_block_device - dm_device -}:blk_file no_rw_file_perms; - -# Only allow entry from vold via blkid binary -neverallow { domain -vold } blkid_untrusted:process transition; -neverallow * blkid_untrusted:process dyntransition; -neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; |