Skip to content
Snippets Groups Projects
Commit bacf448b authored by Nick Kralevich's avatar Nick Kralevich
Browse files

allow system_server BLKSECDISCARD BLKDISCARD 

Used at:
https://android.googlesource.com/platform/frameworks/base/+/7271c452a945a629c39fe885058c14c4ad11204e/services/core/jni/com_android_server_PersistentDataBlockService.cpp#60

Addresses the following denials:
  audit(0.0:413): avc: denied { ioctl } for comm="Binder:1365_1C" path="/dev/block/sdg1" dev="tmpfs" ino=20555 ioctlcmd=127d scontext=u:r:system_server:s0 tcontext=u:object_r:frp_block_device:s0 tclass=blk_file permissive=0
  audit(0.0:410): avc: denied { ioctl } for comm="Binder:1365_3" path="/dev/block/sdg1" dev="tmpfs" ino=20555 ioctlcmd=1277 scontext=u:r:system_server:s0 tcontext=u:object_r:frp_block_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Change-Id: I7614b6269031b7912a7b93dc5307f5687458fba8
parent 6f324ffd
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
private/system_server.te
+ 1
0
View file @ bacf448b
...@@ -713,6 +713,7 @@ allow system_server keystore:keystore_key { ...@@ -713,6 +713,7 @@ allow system_server keystore:keystore_key {
# protection partition. This block device does not get wiped in a factory reset. # protection partition. This block device does not get wiped in a factory reset.
allow system_server block_device:dir search; allow system_server block_device:dir search;
allow system_server frp_block_device:blk_file rw_file_perms; allow system_server frp_block_device:blk_file rw_file_perms;
allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
# Clean up old cgroups # Clean up old cgroups
allow system_server cgroup:dir { remove_name rmdir }; allow system_server cgroup:dir { remove_name rmdir };
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment