From 832f8af08bfb8eea063ee04aceaf2784642aa51c Mon Sep 17 00:00:00 2001
From: Tao Bao <tbao@google.com>
Date: Tue, 15 Jan 2019 16:08:09 -0800
Subject: [PATCH] recovery: Address the ioctl denials during wiping.

avc:  denied  { ioctl } for  pid=599 comm="mke2fs" path="/dev/block/sda13" dev="tmpfs" ino=18975 ioctlcmd=127b scontext=u:r:recovery:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file
avc:  denied  { ioctl } for  pid=587 comm="mke2fs" path="/dev/block/sda20" dev="tmpfs" ino=17931 ioctlcmd=0x127b scontext=u:r:recovery:s0 tcontext=u:object_r:metadata_block_device:s0 tclass=blk_file

0x127b (BLKPBSZGET) is called by mke2fs that queries physical sector
size. Although the denial is currently non-fatal, as mke2fs falls back
to use logical sector size, it might lead to undesired result in future.

Test: Factory reset on taimen and blueline respectively.
Change-Id: I14fc6593aeae309c79f5eadcffc8158b0a2ab2f6
---
 public/recovery.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/public/recovery.te b/public/recovery.te
index 6cb391c40..12eadee83 100644
--- a/public/recovery.te
+++ b/public/recovery.te
@@ -85,6 +85,7 @@ recovery_only(`
   allow recovery device:dir r_dir_perms;
   allow recovery block_device:dir r_dir_perms;
   allow recovery dev_type:blk_file rw_file_perms;
+  allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET;
 
   # GUI
   allow recovery graphics_device:chr_file rw_file_perms;
-- 
GitLab