Merge "Allow microdroid_manager to BLKFLSBUF on the instance disk"

commit: 03b3b18c70fc9dfd1a80fd6cd3a7f47e07f75025 [log] [tgz]
author: Treehugger Robot <treehugger-gerrit@google.com> Mon Feb 07 11:44:54 2022 +0000
committer: Gerrit Code Review <noreply-gerritcodereview@google.com> Mon Feb 07 11:44:54 2022 +0000
tree: 888cb3252d349eaec9188e75c2149dfcfe651a05
parent: f7a825bc46f814ea0d8ef4400c32f7d5bda0a6d4 [diff]
parent: 30c416a4bd3c7e748bcb1eaae2a87bac18908e22 [diff]
diff --git a/microdroid/system/private/microdroid_manager.te b/microdroid/system/private/microdroid_manager.te
index 1db1c2a..6539e2c 100644
--- a/microdroid/system/private/microdroid_manager.te
+++ b/microdroid/system/private/microdroid_manager.te

@@ -14,6 +14,11 @@
 # microdroid_manager verifies DM-verity mounted APK payload
 allow microdroid_manager dm_device:blk_file r_file_perms;
 
+# Allow microdroid_manager to do blkflsbuf on instance disk image. The ioctl
+# requires sys_admin cap as well.
+allowxperm microdroid_manager vd_device:blk_file ioctl BLKFLSBUF;
+allow microdroid_manager self:global_capability_class_set sys_admin;
+
 # Allow microdroid_manager to start payload tasks
 domain_auto_trans(microdroid_manager, microdroid_app_exec, microdroid_app)
 domain_auto_trans(microdroid_manager, compos_exec, compos)
commit	03b3b18c70fc9dfd1a80fd6cd3a7f47e07f75025	[log] [tgz]
author	Treehugger Robot <treehugger-gerrit@google.com>	Mon Feb 07 11:44:54 2022 +0000
committer	Gerrit Code Review <noreply-gerritcodereview@google.com>	Mon Feb 07 11:44:54 2022 +0000
tree	888cb3252d349eaec9188e75c2149dfcfe651a05
parent	f7a825bc46f814ea0d8ef4400c32f7d5bda0a6d4 [diff]
parent	30c416a4bd3c7e748bcb1eaae2a87bac18908e22 [diff]