recovery: Allow BLKPBSZGET on cache_block_device

The comment in this file acknowledges that this is needed for "Wipe data/cache", however it does not actually grant the permission for cache_block_device. Add it. Fixes a denial seen on cuttlefish: avc: denied { ioctl } for pid=223 comm="mke2fs" path="/dev/block/vda3" dev="tmpfs" ino=486 ioctlcmd=0x127b scontext=u:r:recovery:s0 tcontext=u:object_r:cache_block_device:s0 tclass=blk_file permissive=0 Bug: 146898312 Change-Id: I82b9975085c027941c970ca44dbb1a7a370295fa
2019-12-26 14:48:21 -08:00 · 2019-12-26 14:48:21 -08:00 · 07e6aa994a
commit 07e6aa994a
parent 1d241db7e5
1 changed files with 1 additions and 1 deletions
--- a/public/recovery.te
+++ b/public/recovery.te
@ -85,7 +85,7 @@ recovery_only(`
  allow recovery device:dir r_dir_perms;
  allow recovery block_device:dir r_dir_perms;
  allow recovery dev_type:blk_file rw_file_perms;
-  allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET;
+  allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET;

  # GUI
  allow recovery graphics_device:chr_file rw_file_perms;