Skip to content
Snippets Groups Projects
Commit 787fc8d0 authored by Nick Kralevich's avatar Nick Kralevich
Browse files

vold.te: allow BLKSECDISCARD 

vold needs to securely delete content from various block devices. Allow
it.

Addresses the following denials:

type=1400 audit(0.0:66): avc: denied { ioctl } for comm="secdiscard" path="/dev/block/dm-3" dev="tmpfs" ino=17945 ioctlcmd=0x127d scontext=u:r:vold:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0
type=1400 audit(0.0:43): avc: denied { ioctl } for comm="secdiscard" path="/dev/block/sda45" dev="tmpfs" ino=17485 ioctlcmd=127d scontext=u:r:vold:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Change-Id: Ie7b4b8ac4698d9002a4e8d142d4e463f8d42899a
parent 962ad6fe
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 2 additions and 0 deletions
public/vold.te
+ 2
0
View file @ 787fc8d0
...@@ -103,6 +103,7 @@ allowxperm vold loop_device:blk_file ioctl LOOP_GET_STATUS64; ...@@ -103,6 +103,7 @@ allowxperm vold loop_device:blk_file ioctl LOOP_GET_STATUS64;
allow vold vold_device:blk_file { create setattr unlink rw_file_perms }; allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
allow vold dm_device:chr_file rw_file_perms; allow vold dm_device:chr_file rw_file_perms;
allow vold dm_device:blk_file rw_file_perms; allow vold dm_device:blk_file rw_file_perms;
allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
# For vold Process::killProcessesWithOpenFiles function. # For vold Process::killProcessesWithOpenFiles function.
allow vold domain:dir r_dir_perms; allow vold domain:dir r_dir_perms;
allow vold domain:{ file lnk_file } r_file_perms; allow vold domain:{ file lnk_file } r_file_perms;
...@@ -186,6 +187,7 @@ full_treble_only(`hal_client_domain(vold, hal_bootctl)') ...@@ -186,6 +187,7 @@ full_treble_only(`hal_client_domain(vold, hal_bootctl)')
# Access userdata block device. # Access userdata block device.
allow vold userdata_block_device:blk_file rw_file_perms; allow vold userdata_block_device:blk_file rw_file_perms;
allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
# Access metadata block device used for encryption meta-data. # Access metadata block device used for encryption meta-data.
allow vold metadata_block_device:blk_file rw_file_perms; allow vold metadata_block_device:blk_file rw_file_perms;
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment