| # zipfuse is a FUSE daemon running in the microdroid. It mounts |
| # /dev/block/by-name/microdroid-apk whose content is from an apk file on |
| # /mnt/apk so that the entries in the apk file are seen as regular files. See |
| # packages/modules/Virtualization/zipfuse. |
| |
| type zipfuse, domain, coredomain; |
| type zipfuse_exec, exec_type, file_type, system_file_type; |
| |
| # allow domain transition from init |
| init_daemon_domain(zipfuse) |
| |
| # allow basic rules to implement FUSE |
| allow zipfuse fuse_device:chr_file rw_file_perms; |
| allow zipfuse self:global_capability_class_set sys_admin; |
| |
| # allow access to /dev/vd* block device files and also access to the symlinks |
| # /dev/block/by-name/* |
| allow zipfuse block_device:dir r_dir_perms; |
| allow zipfuse block_device:lnk_file r_file_perms; |
| allow zipfuse vd_device:blk_file r_file_perms; |
| |
| # allow mounting on /mnt/apk |
| allow zipfuse tmpfs:dir mounton; |
| |
| # TODO(b/188400186) uncomment the following when this filesystem is mounted with |
| # fscontext=u:object_r:zipfusefs:s0 |
| # type zipfusefs, fs_type, contextmount_type; |
| # allow zipfuse fuse:filesystem relabelfrom; |
| # allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto }; |
| |
| # TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext |
| userdebug_or_eng(` |
| allow zipfuse fuse:filesystem mount; |
| ') |