1# blkid for untrusted block devices 2 3typeattribute blkid_untrusted coredomain; 4 5# Allowed read-only access to vold block devices to extract UUID/label 6allow blkid_untrusted block_device:dir search; 7allow blkid_untrusted vold_device:blk_file r_file_perms; 8 9# Allow stdin/out back to vold 10allow blkid_untrusted vold:fd use; 11allow blkid_untrusted vold:fifo_file { read write getattr }; 12 13# For blkid launched through popen() 14allow blkid_untrusted blkid_exec:file rx_file_perms; 15 16### 17### neverallow rules 18### 19 20# Untrusted blkid should never be run on block devices holding sensitive data 21neverallow blkid_untrusted { 22 boot_block_device 23 frp_block_device 24 metadata_block_device 25 recovery_block_device 26 root_block_device 27 swap_block_device 28 system_block_device 29 userdata_block_device 30 cache_block_device 31 dm_device 32}:blk_file no_rw_file_perms; 33 34# Only allow entry from vold via blkid binary 35neverallow { domain -vold } blkid_untrusted:process transition; 36neverallow * blkid_untrusted:process dyntransition; 37neverallow blkid_untrusted { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; 38