From e844681c8602dd27eb3e748312590d4be6c3437e Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Tue, 23 Oct 2018 11:57:54 -0700
Subject: [PATCH] Expand BLKROGET and BLKROSET to all block devices.

Update engine is responsible for updating various partitions, which
includes enabling or disabling the read-only bit on the underlying block
device.

Rather than try to list out each block device separately, generalize the
ioctl rules to apply to all block device nodes. If the ioctl permission
is granted via a normal allow rule, then the allowxperm statement will
allow BLKROGET and BLKROSET by default on those block devices.

Test: policy compiles
Bug: 118150702
Change-Id: I7bca52e0f442df7320748f6d6371e5016aa6dd0b
---
 public/update_engine_common.te | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index a7d3bf398..3931468b2 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -7,7 +7,10 @@ allow update_engine_common block_device:dir search;
 # Allow read/write on system and boot partitions.
 allow update_engine_common boot_block_device:blk_file rw_file_perms;
 allow update_engine_common system_block_device:blk_file rw_file_perms;
-allowxperm update_engine_common { boot_block_device system_block_device }:blk_file ioctl { BLKROGET BLKROSET };
+
+# Where ioctls are granted via standard allow rules to block devices,
+# automatically allow BLKROGET and BLKROSET.
+allowxperm update_engine_common dev_type:blk_file ioctl { BLKROGET BLKROSET };
 
 # Allow to set recovery options in the BCB. Used to trigger factory reset when
 # the update to an older version (channel change) or incompatible version
-- 
GitLab