From 787fc8d0e67f63cb386f0b5754c22ade455839d1 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 23 Oct 2018 03:29:34 -0700
Subject: [PATCH] vold.te: allow BLKSECDISCARD

vold needs to securely delete content from various block devices. Allow
it.

Addresses the following denials:

type=1400 audit(0.0:66): avc: denied { ioctl } for comm="secdiscard" path="/dev/block/dm-3" dev="tmpfs" ino=17945 ioctlcmd=0x127d scontext=u:r:vold:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0
type=1400 audit(0.0:43): avc: denied { ioctl } for comm="secdiscard" path="/dev/block/sda45" dev="tmpfs" ino=17485 ioctlcmd=127d scontext=u:r:vold:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Change-Id: Ie7b4b8ac4698d9002a4e8d142d4e463f8d42899a
---
 public/vold.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/public/vold.te b/public/vold.te
index 764523991..5e8c34bc7 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -103,6 +103,7 @@ allowxperm vold loop_device:blk_file ioctl LOOP_GET_STATUS64;
 allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
+allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
 # For vold Process::killProcessesWithOpenFiles function.
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
@@ -186,6 +187,7 @@ full_treble_only(`hal_client_domain(vold, hal_bootctl)')
 
 # Access userdata block device.
 allow vold userdata_block_device:blk_file rw_file_perms;
+allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
 
 # Access metadata block device used for encryption meta-data.
 allow vold metadata_block_device:blk_file rw_file_perms;
-- 
GitLab