commit 787fc8d0e67f63cb386f0b5754c22ade455839d1
author Nick Kralevich <nnk@google.com> Tue Oct 23 03:29:34 2018 -0700
committer Nick Kralevich <nnk@google.com> Tue Oct 23 03:35:08 2018 -0700
tree 94f6808327f850067dd6267c3a9b7a362cd1a2fe
parent 962ad6fecbbc481c5643fd5c3c3759b5cd19f01e

vold.te: allow BLKSECDISCARD

vold needs to securely delete content from various block devices. Allow
it.

Addresses the following denials:

type=1400 audit(0.0:66): avc: denied { ioctl } for comm="secdiscard" path="/dev/block/dm-3" dev="tmpfs" ino=17945 ioctlcmd=0x127d scontext=u:r:vold:s0 tcontext=u:object_r:dm_device:s0 tclass=blk_file permissive=0
type=1400 audit(0.0:43): avc: denied { ioctl } for comm="secdiscard" path="/dev/block/sda45" dev="tmpfs" ino=17485 ioctlcmd=127d scontext=u:r:vold:s0 tcontext=u:object_r:userdata_block_device:s0 tclass=blk_file permissive=0

Test: policy compiles.
Change-Id: Ie7b4b8ac4698d9002a4e8d142d4e463f8d42899a

public/vold.te

diff --git a/public/vold.te b/public/vold.te
index 7645239..5e8c34b 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -103,6 +103,7 @@
 allow vold vold_device:blk_file { create setattr unlink rw_file_perms };
 allow vold dm_device:chr_file rw_file_perms;
 allow vold dm_device:blk_file rw_file_perms;
+allowxperm vold dm_device:blk_file ioctl BLKSECDISCARD;
 # For vold Process::killProcessesWithOpenFiles function.
 allow vold domain:dir r_dir_perms;
 allow vold domain:{ file lnk_file } r_file_perms;
@@ -186,6 +187,7 @@
 
 # Access userdata block device.
 allow vold userdata_block_device:blk_file rw_file_perms;
+allowxperm vold userdata_block_device:blk_file ioctl BLKSECDISCARD;
 
 # Access metadata block device used for encryption meta-data.
 allow vold metadata_block_device:blk_file rw_file_perms;