From 2b413622ce237b4ef355cafd24bbebaba7f22804 Mon Sep 17 00:00:00 2001 From: Kelvin Zhang Date: Mon, 26 Jun 2023 14:52:27 -0700 Subject: [PATCH] Give vold permission to wipe a block device During mountFstab call, vold might need to wipe and re-format a device. See code in system/vold/model/PublicVolume.cpp , PublicVolume::doFormat Allow IOCTLs such as BLKDISCARDZEROES for wiping. Test: th Bug: 279808236 Change-Id: I0bebf850aa45ece6227fa5c3e9c3fdb38164f79e --- private/vold.te | 4 ++++ public/e2fs.te | 6 ++++++ 2 files changed, 10 insertions(+) diff --git a/private/vold.te b/private/vold.te index 957e5d0ba..4256ac38e 100644 --- a/private/vold.te +++ b/private/vold.te @@ -7,6 +7,10 @@ domain_auto_trans(vold, sgdisk_exec, sgdisk); domain_auto_trans(vold, sdcardd_exec, sdcardd); domain_auto_trans(vold, fuseblkd_untrusted_exec, fuseblkd_untrusted); +# Switch to e2fs domain when running mkfs.ext4 to format a partition +domain_auto_trans(vold, e2fs_exec, e2fs); + + # For a handful of probing tools, we choose an even more restrictive # domain when working with untrusted block devices domain_trans(vold, blkid_exec, blkid); diff --git a/public/e2fs.te b/public/e2fs.te index 6bce10f3a..973abb9dc 100644 --- a/public/e2fs.te +++ b/public/e2fs.te @@ -9,6 +9,12 @@ allow e2fs userdata_block_device:blk_file rw_file_perms; allow e2fs metadata_block_device:blk_file rw_file_perms; allow e2fs dm_device:blk_file rw_file_perms; allow e2fs zoned_block_device:blk_file rw_file_perms; +# Vold needs to capture mkfs.ext4's output +allow e2fs vold:fd use; +# Need to be able to format a partition +allow e2fs sysfs_dm:dir r_dir_perms; +allow e2fs sysfs_dm:file r_file_perms; + allowxperm e2fs { userdata_block_device metadata_block_device dm_device zoned_block_device }:blk_file ioctl { BLKSECDISCARD BLKDISCARD BLKPBSZGET BLKDISCARDZEROES BLKROGET BLKREPORTZONE BLKRESETZONE };