From 07e6aa994aa382628f1b163603daee594bc8e58e Mon Sep 17 00:00:00 2001 From: Alistair Delva Date: Thu, 26 Dec 2019 14:48:21 -0800 Subject: [PATCH] recovery: Allow BLKPBSZGET on cache_block_device The comment in this file acknowledges that this is needed for "Wipe data/cache", however it does not actually grant the permission for cache_block_device. Add it. Fixes a denial seen on cuttlefish: avc: denied { ioctl } for pid=223 comm="mke2fs" path="/dev/block/vda3" dev="tmpfs" ino=486 ioctlcmd=0x127b scontext=u:r:recovery:s0 tcontext=u:object_r:cache_block_device:s0 tclass=blk_file permissive=0 Bug: 146898312 Change-Id: I82b9975085c027941c970ca44dbb1a7a370295fa --- public/recovery.te | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/public/recovery.te b/public/recovery.te index 11933544c..3bac03dd6 100644 --- a/public/recovery.te +++ b/public/recovery.te @@ -85,7 +85,7 @@ recovery_only(` allow recovery device:dir r_dir_perms; allow recovery block_device:dir r_dir_perms; allow recovery dev_type:blk_file rw_file_perms; - allowxperm recovery { userdata_block_device metadata_block_device }:blk_file ioctl BLKPBSZGET; + allowxperm recovery { userdata_block_device metadata_block_device cache_block_device }:blk_file ioctl BLKPBSZGET; # GUI allow recovery graphics_device:chr_file rw_file_perms;