update_engine_common: expand default allowed ioctl list
update_engine does a lot to keep partitions secure and tidy. Allow the
ioctls necessary to allow that to happen.
Addresses the following denials:
update_engine: type=1400 audit(0.0:6): avc: denied { ioctl } for path="/dev/block/sda20" dev="tmpfs" ino=13850 ioctlcmd=1277 scontext=u:r:update_engine:s0 tcontext=u:object_r:boot_block_device:s0 tclass=blk_file permissive=0
update_engine: type=1400 audit(0.0:8): avc: denied { ioctl } for path="/dev/block/sda20" dev="tmpfs" ino=13850 ioctlcmd=127c scontext=u:r:update_engine:s0 tcontext=u:object_r:boot_block_device:s0 tclass=blk_file permissive=0
update_engine: type=1400 audit(0.0:9): avc: denied { ioctl } for path="/dev/block/sda20" dev="tmpfs" ino=13850 ioctlcmd=127f scontext=u:r:update_engine:s0 tcontext=u:object_r:boot_block_device:s0 tclass=blk_file permissive=0
update_engine: type=1400 audit(0.0:13): avc: denied { ioctl } for path="/dev/block/sda18" dev="tmpfs" ino=12601 ioctlcmd=127d scontext=u:r:update_engine:s0 tcontext=u:object_r:custom_ab_block_device:s0 tclass=blk_file permissive=0
Bug: 118319505
Test: policy compiles.
Change-Id: I424f2a13ced2324b4c0c35b0f510b9aea748d5aa
diff --git a/public/update_engine_common.te b/public/update_engine_common.te
index 3931468..ccc3352 100644
--- a/public/update_engine_common.te
+++ b/public/update_engine_common.te
@@ -9,8 +9,16 @@
allow update_engine_common system_block_device:blk_file rw_file_perms;
# Where ioctls are granted via standard allow rules to block devices,
-# automatically allow BLKROGET and BLKROSET.
-allowxperm update_engine_common dev_type:blk_file ioctl { BLKROGET BLKROSET };
+# automatically allow common ioctls that are generally needed by
+# update_engine.
+allowxperm update_engine_common dev_type:blk_file ioctl {
+ BLKDISCARD
+ BLKDISCARDZEROES
+ BLKROGET
+ BLKROSET
+ BLKSECDISCARD
+ BLKZEROOUT
+};
# Allow to set recovery options in the BCB. Used to trigger factory reset when
# the update to an older version (channel change) or incompatible version