1# Any fsck program run on untrusted block devices
2type fsck_untrusted, domain;
3
4# Inherit and use pty created by android_fork_execvp_ext().
5allow fsck_untrusted devpts:chr_file { read write ioctl getattr };
6
7# Allow stdin/out back to vold
8allow fsck_untrusted vold:fd use;
9allow fsck_untrusted vold:fifo_file { read write getattr };
10
11# Run fsck on vold block devices
12allow fsck_untrusted block_device:dir search;
13allow fsck_untrusted vold_device:blk_file rw_file_perms;
14
15allow fsck_untrusted proc_mounts:file r_file_perms;
16
17# To determine if it is safe to run fsck on a filesystem, e2fsck
18# must first determine if the filesystem is mounted. To do that,
19# e2fsck scans through /proc/mounts and collects all the mounted
20# block devices. With that information, it runs stat() on each block
21# device, comparing the major and minor numbers to the filesystem
22# passed in on the command line. If there is a match, then the filesystem
23# is currently mounted and running fsck is dangerous.
24# Allow stat access to all block devices so that fsck can compare
25# major/minor values.
26allow fsck_untrusted dev_type:blk_file getattr;
27
28###
29### neverallow rules
30###
31
32# Untrusted fsck should never be run on block devices holding sensitive data
33neverallow fsck_untrusted {
34  boot_block_device
35  frp_block_device
36  metadata_block_device
37  recovery_block_device
38  root_block_device
39  swap_block_device
40  system_block_device
41  userdata_block_device
42  cache_block_device
43  dm_device
44}:blk_file no_rw_file_perms;
45
46# Only allow entry from vold via fsck binaries
47neverallow { domain -vold } fsck_untrusted:process transition;
48neverallow * fsck_untrusted:process dyntransition;
49neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
50