From 7b5e82a82406c3497ff824e9182cc4d51bef0f90 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 23 Oct 2018 12:28:40 -0700
Subject: [PATCH] update_engine_common: expand default allowed ioctl list

update_engine does a lot to keep partitions secure and tidy. Allow the
ioctls necessary to allow that to happen.

Addresses the following denials:

update_engine: type=1400 audit(0.0:6): avc: denied { ioctl } for path="/dev/block/sda20" dev="tmpfs" ino=13850 ioctlcmd=1277 scontext=u:r:update_engine:s0 tcontext=u:object_r:boot_block_device:s0 tclass=blk_file permissive=0
update_engine: type=1400 audit(0.0:8): avc: denied { ioctl } for path="/dev/block/sda20" dev="tmpfs" ino=13850 ioctlcmd=127c scontext=u:r:update_engine:s0 tcontext=u:object_r:boot_block_device:s0 tclass=blk_file permissive=0
update_engine: type=1400 audit(0.0:9): avc: denied { ioctl } for path="/dev/block/sda20" dev="tmpfs" ino=13850 ioctlcmd=127f scontext=u:r:update_engine:s0 tcontext=u:object_r:boot_block_device:s0 tclass=blk_file permissive=0
update_engine: type=1400 audit(0.0:13): avc: denied { ioctl } for path="/dev/block/sda18" dev="tmpfs" ino=12601 ioctlcmd=127d scontext=u:r:update_engine:s0 tcontext=u:object_r:custom_ab_block_device:s0 tclass=blk_file permissive=0

Bug: 118319505
Test: policy compiles.
Change-Id: I424f2a13ced2324b4c0c35b0f510b9aea748d5aa
---
 public/update_engine_common.te | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 3931468b2..ccc335206 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -9,8 +9,16 @@ allow update_engine_common boot_block_device:blk_file rw_file_perms;
 allow update_engine_common system_block_device:blk_file rw_file_perms;
 
 # Where ioctls are granted via standard allow rules to block devices,
-# automatically allow BLKROGET and BLKROSET.
-allowxperm update_engine_common dev_type:blk_file ioctl { BLKROGET BLKROSET };
+# automatically allow common ioctls that are generally needed by
+# update_engine.
+allowxperm update_engine_common dev_type:blk_file ioctl {
+  BLKDISCARD
+  BLKDISCARDZEROES
+  BLKROGET
+  BLKROSET
+  BLKSECDISCARD
+  BLKZEROOUT
+};
 
 # Allow to set recovery options in the BCB. Used to trigger factory reset when
 # the update to an older version (channel change) or incompatible version
-- 
GitLab