Allow fastbootd to wipe metadata.

Metadata needs to be erased as part of fastboot flashall -w.

Test: fastboot erase metadata
Bug: 113648914
Change-Id: I38a0debd9face16cad9d9a13a48549f3f58652fa

public/domain.te

@@ -592,6 +592,7 @@ neverallow {
   -vold
   -e2fs
   -fsck
+  -fastbootd
 } metadata_block_device:blk_file { append link rename write open read ioctl lock };
 
 # No domain other than recovery, update_engine and fastbootd can write to system partition(s).

public/fastbootd.te

@@ -39,20 +39,27 @@ recovery_only(`
   allow fastbootd dm_device:blk_file rw_file_perms;
 
   allow fastbootd super_block_device:blk_file rw_file_perms;
-  allow fastbootd system_block_device:blk_file { w_file_perms ioctl };
-  allowxperm fastbootd system_block_device:blk_file ioctl { BLKGETSIZE64 };
+  allow fastbootd {
+    boot_block_device
+    metadata_block_device
+    system_block_device
+    userdata_block_device
+  }:blk_file { w_file_perms getattr ioctl };
 
+  allowxperm fastbootd {
+    boot_block_device
+    metadata_block_device
+    system_block_device
+    userdata_block_device
+  }:blk_file ioctl { BLKGETSIZE64 };
 
-  allow fastbootd boot_block_device:blk_file { w_file_perms ioctl };
-  allowxperm fastbootd boot_block_device:blk_file ioctl { BLKGETSIZE64 };
+  allowxperm fastbootd {
+    metadata_block_device
+    userdata_block_device
+  }:blk_file ioctl { BLKSECDISCARD BLKDISCARD };
 
   allow fastbootd misc_block_device:blk_file rw_file_perms;
 
-  # Required to wipe userdata
-  allow fastbootd userdata_block_device:blk_file { w_file_perms getattr ioctl };
-  allowxperm fastbootd userdata_block_device:blk_file ioctl { BLKGETSIZE64 BLKSECDISCARD
-                                                              BLKDISCARD };
-
   allow fastbootd proc_cmdline:file r_file_perms;
   allow fastbootd rootfs:dir r_dir_perms;
   allow fastbootd sysfs_dt_firmware_android:file r_file_perms;