From bacf448bdba09ff37ae918d85a26879d7d993523 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 20 Nov 2018 17:57:04 -0800
Subject: [PATCH] allow system_server BLKSECDISCARD BLKDISCARD

Used at:
https://android.googlesource.com/platform/frameworks/base/+/7271c452a945a629c39fe885058c14c4ad11204e/services/core/jni/com_android_server_PersistentDataBlockService.cpp#60

Addresses the following denials:
  audit(0.0:413): avc: denied { ioctl } for comm="Binder:1365_1C" path="/dev/block/sdg1" dev="tmpfs" ino=20555 ioctlcmd=127d scontext=u:r:system_server:s0 tcontext=u:object_r:frp_block_device:s0 tclass=blk_file permissive=0
  audit(0.0:410): avc: denied { ioctl } for comm="Binder:1365_3" path="/dev/block/sdg1" dev="tmpfs" ino=20555 ioctlcmd=1277 scontext=u:r:system_server:s0 tcontext=u:object_r:frp_block_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Change-Id: I7614b6269031b7912a7b93dc5307f5687458fba8
---
 private/system_server.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/private/system_server.te b/private/system_server.te
index 710413579..621385cbc 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -713,6 +713,7 @@ allow system_server keystore:keystore_key {
 # protection partition. This block device does not get wiped in a factory reset.
 allow system_server block_device:dir search;
 allow system_server frp_block_device:blk_file rw_file_perms;
+allowxperm system_server frp_block_device:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
 
 # Clean up old cgroups
 allow system_server cgroup:dir { remove_name rmdir };
-- 
GitLab