From db465285cfe5724d83021888c42ba93f0e8ee415 Mon Sep 17 00:00:00 2001
From: Tom Cherry <tomcherry@google.com>
Date: Wed, 11 Apr 2018 14:56:47 -0700
Subject: [PATCH] Allow vendor_init to write to misc_block_device

Vendors may use this to write custom messages to their bootloader, and
as the bootloader is under vendor control, this makes sense to allow.

Bug: 77881566
Test: build
Change-Id: I78f80400e5f386cad1327a9209ee1afc8e334e56
---
 public/domain.te      | 1 +
 public/vendor_init.te | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/public/domain.te b/public/domain.te
index 4f026232a..31345be8f 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -600,6 +600,7 @@ neverallow {
   -init
   -uncrypt
   -update_engine
+  -vendor_init
   -vold
   -recovery
   -ueventd
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 027392509..362244ee7 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -146,6 +146,9 @@ allow vendor_init serialno_prop:file { getattr open read };
 # Vendor init can perform operations on trusted and security Extended Attributes
 allow vendor_init self:global_capability_class_set sys_admin;
 
+# Raw writes to misc block device
+allow vendor_init misc_block_device:blk_file w_file_perms;
+
 not_compatible_property(`
     set_prop(vendor_init, {
       property_type
-- 
GitLab