| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # zipfuse is a FUSE daemon running in the microdroid. It mounts |
| 2 | # /dev/block/by-name/microdroid-apk whose content is from an apk file on |
| 3 | # /mnt/apk so that the entries in the apk file are seen as regular files. See |
| 4 | # packages/modules/Virtualization/zipfuse. |
| 5 | |
| 6 | type zipfuse, domain, coredomain; |
| 7 | type zipfuse_exec, exec_type, file_type, system_file_type; |
| 8 | |
| 9 | # allow domain transition from init |
| 10 | init_daemon_domain(zipfuse) |
| 11 | |
| 12 | # allow basic rules to implement FUSE |
| 13 | allow zipfuse fuse_device:chr_file rw_file_perms; |
| 14 | allow zipfuse self:global_capability_class_set sys_admin; |
| 15 | |
| 16 | # allow access to /dev/vd* block device files and also access to the symlinks |
| 17 | # /dev/block/by-name/* |
| 18 | allow zipfuse block_device:dir r_dir_perms; |
| 19 | allow zipfuse block_device:lnk_file r_file_perms; |
| 20 | allow zipfuse vd_device:blk_file r_file_perms; |
| 21 | |
| 22 | # allow mounting on /mnt/apk |
| 23 | allow zipfuse tmpfs:dir mounton; |
| 24 | |
| 25 | # TODO(b/188400186) uncomment the following when this filesystem is mounted with |
| 26 | # fscontext=u:object_r:zipfusefs:s0 |
| 27 | # type zipfusefs, fs_type, contextmount_type; |
| 28 | # allow zipfuse fuse:filesystem relabelfrom; |
| 29 | # allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto }; |
| 30 | |
| 31 | # TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext |
| 32 | userdebug_or_eng(` |
| 33 | allow zipfuse fuse:filesystem mount; |
| 34 | ') |