Expand BLKROGET and BLKROSET to all block devices.

Update engine is responsible for updating various partitions, which includes enabling or disabling the read-only bit on the underlying block device. Rather than try to list out each block device separately, generalize the ioctl rules to apply to all block device nodes. If the ioctl permission is granted via a normal allow rule, then the allowxperm statement will allow BLKROGET and BLKROSET by default on those block devices. Test: policy compiles Bug: 118150702 Change-Id: I7bca52e0f442df7320748f6d6371e5016aa6dd0b

Expand BLKROGET and BLKROSET to all block devices.
Update engine is responsible for updating various partitions, which includes enabling or disabling the read-only bit on the underlying block device. Rather than try to list out each block device separately, generalize the ioctl rules to apply to all block device nodes. If the ioctl permission is granted via a normal allow rule, then the allowxperm statement will allow BLKROGET and BLKROSET by default on those block devices. Test: policy compiles Bug: 118150702 Change-Id: I7bca52e0f442df7320748f6d6371e5016aa6dd0b
e844681c · Nick Kralevich · 787fc8d0 · e844681c
Commit e844681c authored 6 years ago by Nick Kralevich
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -7,7 +7,10 @@ allow update_engine_common block_device:dir search;
 # Allow read/write on system and boot partitions.
 allow update_engine_common boot_block_device:blk_file rw_file_perms;
 allow update_engine_common system_block_device:blk_file rw_file_perms;
-allowxperm update_engine_common { boot_block_device system_block_device }:blk_file ioctl { BLKROGET BLKROSET };
+
+# Where ioctls are granted via standard allow rules to block devices,
+# automatically allow BLKROGET and BLKROSET.
+allowxperm update_engine_common dev_type:blk_file ioctl { BLKROGET BLKROSET };

 # Allow to set recovery options in the BCB. Used to trigger factory reset when
 # the update to an older version (channel change) or incompatible version