Allow zipfuse to mount with fscontext and context
zipfuse now supports fscontext and context (but not defcontext yet).
Allow it to be mounted with zipfusefs as fscontext and system_file as
context.
Bug: 189165759
Bug: 188400186
Test: atest MicrodroidHostTestCases
Change-Id: I67a70b6d7975399ecfd0b4db87b50a8d25f89c4e
diff --git a/microdroid/sepolicy/system/private/microdroid_launcher.te b/microdroid/sepolicy/system/private/microdroid_launcher.te
index 5983cb7..35286a6 100644
--- a/microdroid/sepolicy/system/private/microdroid_launcher.te
+++ b/microdroid/sepolicy/system/private/microdroid_launcher.te
@@ -5,17 +5,6 @@
type microdroid_launcher, domain, coredomain;
type microdroid_launcher_exec, exec_type, file_type, system_file_type;
-# allow executing files on the zipfuse fs
-# TODO(b/188400186) uncomment the below when the zipfuse is mounted with
-# fscontext=u:object_r:zipfusefs:s0
-# allow microdroid_launcher zipfusefs:dir r_dir_perms;
-# allow microdroid_launcher zipfusefs:file rx_file_perms;
-# TODO(b/188400186) remove the below two rules
-userdebug_or_eng(`
- allow microdroid_launcher fuse:dir r_dir_perms;
- allow microdroid_launcher fuse:file rx_file_perms;
-')
-
# Allow to communicate use, read and write over the adb connection.
allow microdroid_launcher adbd:fd use;
allow microdroid_launcher adbd:unix_stream_socket { read write };
diff --git a/microdroid/sepolicy/system/private/zipfuse.te b/microdroid/sepolicy/system/private/zipfuse.te
index 9d5faad..65da9d3 100644
--- a/microdroid/sepolicy/system/private/zipfuse.te
+++ b/microdroid/sepolicy/system/private/zipfuse.te
@@ -22,13 +22,11 @@
# allow mounting on /mnt/apk
allow zipfuse tmpfs:dir mounton;
-# TODO(b/188400186) uncomment the following when this filesystem is mounted with
-# fscontext=u:object_r:zipfusefs:s0
-# type zipfusefs, fs_type, contextmount_type;
-# allow zipfuse fuse:filesystem relabelfrom;
-# allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
+# allow mounting with fscontext=u:object_r:zipfusefs:s0
+type zipfusefs, fs_type, contextmount_type;
+allow zipfuse fuse:filesystem relabelfrom;
+allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
-# TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext
-userdebug_or_eng(`
- allow zipfuse fuse:filesystem mount;
-')
+# allow mounting with context=u:object_r:system_file:s0 so that files provided
+# by zipfuse are treated the same as the other files in /system or /apex
+allow system_file zipfusefs:filesystem associate;