Merge "Remove unused sepolicy by fsverity_init" into rvc-dev
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index 53b4e71..6f4dfbc 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -47,6 +47,7 @@
fastbootd_protocol_prop
file_integrity_service
fwk_automotive_display_hwservice
+ fusectlfs
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
index b423e64..51f2ce7 100644
--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
@@ -98,6 +98,8 @@
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon fusectl / u:object_r:fusectlfs:s0
+
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index 2654896..ed4aded 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -1286,6 +1286,9 @@
# Do not allow executable files in debugfs.
neverallow domain debugfs_type:file { execute execute_no_trans };
+# Don't allow access to the FUSE control filesystem, except to vold and init's
+neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index 462e71d..7f56d9a 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -75,6 +75,7 @@
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type selinuxfs, fs_type, mlstrustedobject;
+type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
diff --git a/prebuilts/api/30.0/public/vold.te b/prebuilts/api/30.0/public/vold.te
index 5d3eccf..1d125d3 100644
--- a/prebuilts/api/30.0/public/vold.te
+++ b/prebuilts/api/30.0/public/vold.te
@@ -215,6 +215,10 @@
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
# Handle wake locks (used for device encryption)
wakelock_use(vold)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 53b4e71..6f4dfbc 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -47,6 +47,7 @@
fastbootd_protocol_prop
file_integrity_service
fwk_automotive_display_hwservice
+ fusectlfs
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
diff --git a/private/genfs_contexts b/private/genfs_contexts
index b423e64..51f2ce7 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -98,6 +98,8 @@
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon fusectl / u:object_r:fusectlfs:s0
+
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
diff --git a/public/domain.te b/public/domain.te
index 2654896..ed4aded 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1286,6 +1286,9 @@
# Do not allow executable files in debugfs.
neverallow domain debugfs_type:file { execute execute_no_trans };
+# Don't allow access to the FUSE control filesystem, except to vold and init's
+neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
diff --git a/public/file.te b/public/file.te
index 462e71d..7f56d9a 100644
--- a/public/file.te
+++ b/public/file.te
@@ -75,6 +75,7 @@
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type selinuxfs, fs_type, mlstrustedobject;
+type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
diff --git a/public/vold.te b/public/vold.te
index 5d3eccf..1d125d3 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -215,6 +215,10 @@
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
# Handle wake locks (used for device encryption)
wakelock_use(vold)