relax fuse_device neverallow rules
The fuse_device neverallow rules are too aggressive and are inhibiting
certain vendor customizations. Relax the /dev/fuse neverallow rules so
that they better reflect the security invariants we want to uphold.
Bug: 37496487
Test: policy compiles.
Change-Id: Ie73b0ba7c76446afc2a7a23ebed1275c977d932d
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 0f0f577..bb37ceb 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -87,6 +87,9 @@
')
}:dir_file_class_set { create unlink };
+# No untrusted component should be touching /dev/fuse
+neverallow all_untrusted_apps fuse_device:chr_file *;
+
# Do not allow untrusted apps to directly open tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/platform_app.te b/private/platform_app.te
index 984bb7b..fd4634a 100644
--- a/private/platform_app.te
+++ b/private/platform_app.te
@@ -61,3 +61,10 @@
allow platform_app preloads_media_file:dir r_dir_perms;
read_runtime_log_tags(platform_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as platform_app
+neverallow platform_app fuse_device:chr_file *;
diff --git a/private/system_app.te b/private/system_app.te
index 02e6101..7950044 100644
--- a/private/system_app.te
+++ b/private/system_app.te
@@ -83,3 +83,10 @@
control_logd(system_app)
read_runtime_log_tags(system_app)
+
+###
+### Neverallow rules
+###
+
+# app domains which access /dev/fuse should not run as system_app
+neverallow system_app fuse_device:chr_file *;