Merge "Add sepolicy for FUSE control filesystem."
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index f84e922..6cb333a 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -45,6 +45,7 @@
exported_camera_prop
file_integrity_service
fwk_automotive_display_hwservice
+ fusectlfs
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
index b423e64..51f2ce7 100644
--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
@@ -98,6 +98,8 @@
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon fusectl / u:object_r:fusectlfs:s0
+
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index 6d0faa4..83b9d8a 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -1295,6 +1295,9 @@
# Do not allow executable files in debugfs.
neverallow domain debugfs_type:file { execute execute_no_trans };
+# Don't allow access to the FUSE control filesystem, except to vold and init's
+neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index d6bd897..dffa5a3 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -75,6 +75,7 @@
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type selinuxfs, fs_type, mlstrustedobject;
+type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
diff --git a/prebuilts/api/30.0/public/vold.te b/prebuilts/api/30.0/public/vold.te
index 400e32a..c1e8e07 100644
--- a/prebuilts/api/30.0/public/vold.te
+++ b/prebuilts/api/30.0/public/vold.te
@@ -202,6 +202,10 @@
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
# Handle wake locks (used for device encryption)
wakelock_use(vold)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index ed41f76..a0229d4 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -46,6 +46,7 @@
fastbootd_protocol_prop
file_integrity_service
fwk_automotive_display_hwservice
+ fusectlfs
gmscore_app
gnss_device
hal_can_bus_hwservice
diff --git a/private/genfs_contexts b/private/genfs_contexts
index 78fec91..0526a23 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -98,6 +98,8 @@
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon fusectl / u:object_r:fusectlfs:s0
+
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
diff --git a/public/domain.te b/public/domain.te
index a88074b..3baf482 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1307,6 +1307,9 @@
# Do not allow executable files in debugfs.
neverallow domain debugfs_type:file { execute execute_no_trans };
+# Don't allow access to the FUSE control filesystem, except to vold and init's
+neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
diff --git a/public/file.te b/public/file.te
index ca7f09c..a1accd2 100644
--- a/public/file.te
+++ b/public/file.te
@@ -75,6 +75,7 @@
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type selinuxfs, fs_type, mlstrustedobject;
+type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
diff --git a/public/vold.te b/public/vold.te
index 400e32a..c1e8e07 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -202,6 +202,10 @@
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
# Handle wake locks (used for device encryption)
wakelock_use(vold)