From 392ac0fd5395483264f5319ee9f11f50a032e57d Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 22 Oct 2018 10:01:10 -0700
Subject: [PATCH] fastbootd.te: Delete allowxperm statement

system/sepolicy commit 4c8eaba75a, reviewed in
https://android-review.googlesource.com/c/platform/system/sepolicy/+/793958
started enforcing explicit ioctl permission checks for all block device
files. As part of that commit, the following lines were added to
domain.te:

  # If a domain has access to perform an ioctl on a block device, allow these
  # very common, benign ioctls
  allowxperm domain dev_type:blk_file ioctl { BLKGETSIZE64 BLKSSZGET };

In essence, if a domain is granted ioctl access to any device in
policy (for example, via adding "ioctl" to the allow rule, or by using
the macro "r_file_perms" which includes the ioctl permission), then the
two ioctls BLKGETSIZE64 and BLKSSZGET will be automatically allowed. As
such, it is redundent for a domain to explicitly request these two
ioctls.

Delete the now redundant allowxperm rule.

Test: policy compiles
Change-Id: I1964ed93a7c7601393cc9e2416f3640ea22db51b
---
 public/fastbootd.te | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/public/fastbootd.te b/public/fastbootd.te
index b7e5fe132..783d2bd4b 100644
--- a/public/fastbootd.te
+++ b/public/fastbootd.te
@@ -47,13 +47,6 @@ recovery_only(`
     userdata_block_device
   }:blk_file { w_file_perms getattr ioctl };
 
-  allowxperm fastbootd {
-    boot_block_device
-    metadata_block_device
-    system_block_device
-    userdata_block_device
-  }:blk_file ioctl { BLKGETSIZE64 };
-
   allowxperm fastbootd {
     metadata_block_device
     userdata_block_device
-- 
GitLab