commit a0ca772c64531c17924d24201fa137066a451d13
author Jiyong Park <jiyong@google.com> Mon May 31 14:08:55 2021 +0900
committer Jiyong Park <jiyong@google.com> Wed Jun 02 17:15:03 2021 +0900
tree a15d91c59bd49b3569b0665f2826b2f9be21a2e8
parent 6a762dbada0cc376a38dc2de1647ea81afbeb123

Mount zipfuse with fscontext and context

The zipfuse filesystem is now mounted with its own selinux context using
the 'fscontext=' option. The files in the filesystem are by default
labeled as system_file via the 'context=' option.

Bug: 188400186
Test: atest MicrodroidHostTestCases
Change-Id: I0f046124bdf4f6189b0be9c5b0b503332bdec332

tests/hostside/java/android/virt/test/MicrodroidTestCase.java

diff --git a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
index 13ca434..b3c3e27 100644
--- a/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
+++ b/tests/hostside/java/android/virt/test/MicrodroidTestCase.java
@@ -177,7 +177,9 @@
         assertThat(abiList.length, is(1));
 
         final String libPath = "/mnt/apk/lib/" + abiList[0] + "/MicrodroidTestNativeLib.so";
-        assertThat(executeCommandOnMicrodroid("shell ls " + libPath), is(libPath));
+        assertThat(
+                executeCommandOnMicrodroid("shell ls -Z " + libPath),
+                is("u:object_r:system_file:s0 " + libPath));
 
         assertThat(
                 executeCommandOnMicrodroid(

zipfuse/zipfuse.rc

diff --git a/zipfuse/zipfuse.rc b/zipfuse/zipfuse.rc
index 97306ea..ccd94b6 100644
--- a/zipfuse/zipfuse.rc
+++ b/zipfuse/zipfuse.rc
@@ -1,2 +1,2 @@
-service zipfuse /system/bin/zipfuse /dev/block/by-name/microdroid-apk /mnt/apk
+service zipfuse /system/bin/zipfuse -o fscontext=u:object_r:zipfusefs:s0,context=u:object_r:system_file:s0 /dev/block/by-name/microdroid-apk /mnt/apk
     disabled