| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 1 | # zipfuse is a FUSE daemon running in the microdroid. It mounts |
| 2 | # /dev/block/by-name/microdroid-apk whose content is from an apk file on |
| 3 | # /mnt/apk so that the entries in the apk file are seen as regular files. See |
| 4 | # packages/modules/Virtualization/zipfuse. |
| 5 | |
| 6 | type zipfuse, domain, coredomain; |
| 7 | type zipfuse_exec, exec_type, file_type, system_file_type; |
| 8 | |
| 9 | # allow domain transition from init |
| 10 | init_daemon_domain(zipfuse) |
| 11 | |
| 12 | # allow basic rules to implement FUSE |
| 13 | allow zipfuse fuse_device:chr_file rw_file_perms; |
| 14 | allow zipfuse self:global_capability_class_set sys_admin; |
| 15 | |
| 16 | # allow access to /dev/vd* block device files and also access to the symlinks |
| 17 | # /dev/block/by-name/* |
| 18 | allow zipfuse block_device:dir r_dir_perms; |
| 19 | allow zipfuse block_device:lnk_file r_file_perms; |
| Jooyung Han | d4a7a7a | 2021-06-17 13:05:36 +0900 | [diff] [blame] | 20 | |
| 21 | # /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-* |
| 22 | allow zipfuse dm_device:blk_file r_file_perms; |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 23 | |
| 24 | # allow mounting on /mnt/apk |
| 25 | allow zipfuse tmpfs:dir mounton; |
| 26 | |
| Inseob Kim | 056e5fc | 2021-06-08 11:11:45 +0900 | [diff] [blame] | 27 | # allow mounting with fscontext=u:object_r:zipfusefs:s0 |
| 28 | type zipfusefs, fs_type, contextmount_type; |
| 29 | allow zipfuse fuse:filesystem relabelfrom; |
| 30 | allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto }; |
| Inseob Kim | ff43be2 | 2021-06-07 16:56:56 +0900 | [diff] [blame] | 31 | |
| Inseob Kim | 056e5fc | 2021-06-08 11:11:45 +0900 | [diff] [blame] | 32 | # allow mounting with context=u:object_r:system_file:s0 so that files provided |
| 33 | # by zipfuse are treated the same as the other files in /system or /apex |
| 34 | allow system_file zipfusefs:filesystem associate; |