Verified Commit b594df0f authored by steadfasterX's avatar steadfasterX 😁
Browse files

universal7870:selinux: fix encryption

there is one crucial important thing when it comes to IOCTL as this is a specific thing:

> I auditd  : type=1400 audit(0.0:1021): avc: denied { ioctl } for comm="Binder:2728_3" path="/dev/block/mmcblk0p24" dev="tmpfs" ino=1109 ioctlcmd=1272 scontext=u:r:vold:s0 tcontext=u:object_r:emmcblk_device:s0 tclass=blk_file permissive=0

see "system/sepolicy/public/ioctl_defines" for 1272 (because of ioctlcmd=1272)  which leads to "BLKGETSIZE64"

some more details and background:
https://selinuxproject.org/page/XpermRules

Signed-off-by: steadfasterX's avatarsteadfasterX <steadfasterX@gmail.com>
parent caf22e58
# /efs
allow vold efs_file:dir r_dir_perms;
# /dev/block/mmcblk0p[0-9]
allow vold emmcblk_device:dir create_dir_perms;
allow vold emmcblk_device:blk_file { setattr unlink rw_file_perms };
allow vold emmcblk_device:blk_file { setattr unlink rw_file_perms ioctl };
# device encryption
# see:
# https://selinuxproject.org/page/XpermRules
# system/sepolicy/public/ioctl_defines
allowxperm vold emmcblk_device:blk_file ioctl BLKGETSIZE64;
allow vold sysfs_sswap:file write;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment