From 877b0860972bd24ab8977733cb243224cb7055f2 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Mon, 15 Oct 2018 06:14:08 -0700
Subject: [PATCH] vold: allow FS_IOC_FIEMAP

This is needed to find the file on the raw block device, so it can be
securely deleted.

Addresses the following denials:

  type=1400 audit(0.0:492): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/10/current/encrypted_key" dev="dm-3" ino=9984 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0
  type=1400 audit(0.0:517): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/11/current/secdiscardable" dev="dm-3" ino=9581 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0
  type=1400 audit(0.0:694): avc: denied { ioctl } for comm="secdiscard" path="/data/misc/vold/user_keys/ce/0/current/keymaster_key_blob" dev="dm-3" ino=9903 ioctlcmd=0x660b scontext=u:r:vold:s0 tcontext=u:object_r:vold_data_file:s0 tclass=file permissive=0

Test: policy compiles and device boots
Change-Id: I1adf21b7fa92b1f92ce76532f4d9337a4d58a2e5
---
 public/vold.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/public/vold.te b/public/vold.te
index 8f50e6aea..8d52a31a7 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -53,6 +53,12 @@ allowxperm vold data_file_type:dir ioctl {
   FS_IOC_SET_ENCRYPTION_POLICY
 };
 
+# Find the location on the raw block device where the
+# crypto key is stored so it can be destroyed
+allowxperm vold vold_data_file:file ioctl {
+  FS_IOC_FIEMAP
+};
+
 typeattribute vold mlstrustedsubject;
 allow vold self:process setfscreate;
 allow vold system_file:file x_file_perms;
-- 
GitLab