From 94995cd0d344b503b1d4a6b2ab646e0943bc56aa Mon Sep 17 00:00:00 2001
From: Tommy Chiu <tommychiu@google.com>
Date: Fri, 4 Mar 2022 16:50:01 +0800
Subject: [PATCH] sepolicy: add permissions to let recovery wipe citadel

This gives recovery the ability to remove user data from citadel in the
same manner as issuing a `fastboot -w` does.  This doesn't allow for
resetting FRP data, just user data.

audit: type=1400 audit(1646379959.016:9): avc:  denied  { getattr } for
  pid=348 comm="recovery" path="/dev/gsc0" dev="tmpfs" ino=754
  scontext=u:r:recovery:s0 tcontext=u:object_r:citadel_device:s0
  tclass=chr_file permissive=0

Bug: 222005928
Change-Id: Ia6113999aecacbbbb31d7a8659a45c0e5a0db2c9
---
 whitechapel_pro/recovery.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/whitechapel_pro/recovery.te b/whitechapel_pro/recovery.te
index 6eb97aa3..bfa3c7dc 100644
--- a/whitechapel_pro/recovery.te
+++ b/whitechapel_pro/recovery.te
@@ -1,3 +1,4 @@
 recovery_only(`
   allow recovery sysfs_ota:file rw_file_perms;
+  allow recovery citadel_device:chr_file rw_file_perms;
 ')