1# blkid called from vold 2 3typeattribute blkid coredomain; 4 5type blkid_exec, exec_type, file_type; 6 7# Allowed read-only access to encrypted devices to extract UUID/label 8allow blkid block_device:dir search; 9allow blkid userdata_block_device:blk_file r_file_perms; 10allow blkid dm_device:blk_file r_file_perms; 11 12# Allow stdin/out back to vold 13allow blkid vold:fd use; 14allow blkid vold:fifo_file { read write getattr }; 15 16# For blkid launched through popen() 17allow blkid blkid_exec:file rx_file_perms; 18 19# Only allow entry from vold 20neverallow { domain -vold } blkid:process transition; 21neverallow * blkid:process dyntransition; 22neverallow blkid { file_type fs_type -blkid_exec -shell_exec }:file entrypoint; 23