From fefc887edab6375dd46f6576c05fbcd6eb8a8ef6 Mon Sep 17 00:00:00 2001
From: Nick Kralevich <nnk@google.com>
Date: Wed, 14 Nov 2018 12:47:50 -0800
Subject: [PATCH] vold: allow ioctls BLKDISCARD and BLKGETSIZE

BLKDISCARD is used by vold while wiping block devices
https://android.googlesource.com/platform/system/vold/+/b2455747a92957d109a050b8f3e394d87d085086/Utils.cpp#619

BLKGETSIZE is used to determine the size of the block device. Ideally
code should not be using this ioctl, as it fails for devices >= 2T in
size. Vold indirectly uses this when executing /system/bin/newfs_msdos.
Arguably this is a bug in newfs_msdos, as BLKGETSIZE64 should be used
instead.
Code: https://android.googlesource.com/platform/external/newfs_msdos/+/0c7e133c7fde67911efb7bd920d4f0ab0c269af8/mkfs_msdos.c#845

Addresses the following denials:

audit(0.0:24): avc: denied { ioctl } for comm="Binder:588_2" path="/dev/block/vold/public:7,9" dev="tmpfs" ino=106407 ioctlcmd=1277 scontext=u:r:vold:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0
audit(0.0:25): avc: denied { ioctl } for comm="newfs_msdos" path="/dev/block/vold/public:7,9" dev="tmpfs" ino=106407 ioctlcmd=1260 scontext=u:r:vold:s0 tcontext=u:object_r:vold_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Bug: 119562530
Change-Id: Ib7198daf150d6f2578545a6a402e0313069ea2b4
---
 public/vold.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/public/vold.te b/public/vold.te
index 236604fa0..3848c359d 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -107,6 +107,7 @@ allowxperm vold loop_device:blk_file ioctl {
   LOOP_SET_STATUS64
 };
 allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
+allowxperm vold vold_device:blk_file ioctl { BLKDISCARD BLKGETSIZE };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
 allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
-- 
GitLab