commit 6b5da95419208ab6f3a35a3dfd6ca37eb32ad7f8
author Paul Lawrence <paullawrence@google.com> Wed Mar 01 14:32:25 2023 -0800
committer Paul Lawrence <paullawrence@google.com> Wed Mar 01 14:45:57 2023 -0800
tree 4972907cb76c559d673836442388a405f6104345
parent 05f8ebe1db705dba367b54ae0b4e0d5d9215d448

Use kernel sys/fs/fuse/features/fuse_bpf flag to enable fuse_bpf

Bug: 262887267
Test: ro.fuse.bpf.is_running is true
Change-Id: I9c4a54e9ac232e9f35a6be5b3bcc3cc040d64b47

private/compat/33.0/33.0.ignore.cil

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3b61f73..089b0bb 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil
@@ -55,6 +55,7 @@
     servicemanager_prop
     shutdown_checkpoints_system_data_file
     stats_config_data_file
+    sysfs_fs_fuse_features
     system_net_netd_service
     timezone_metadata_prop
     traced_oome_heap_session_count_prop

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index 1e5e0f5..1c27662 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -56,6 +56,9 @@
 # Everyone can access the IncFS list of features.
 r_dir_file(domain, sysfs_fs_incfs_features);
 
+# Everyone can access the fuse list of features.
+r_dir_file(domain, sysfs_fs_fuse_features);
+
 # Path resolution access in cgroups.
 allow domain cgroup:dir search;
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;

private/genfs_contexts

diff --git a/private/genfs_contexts b/private/genfs_contexts
index f5a92ac..8e35c46 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -150,6 +150,7 @@
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /fs/f2fs                           u:object_r:sysfs_fs_f2fs:s0
 genfscon sysfs /fs/fuse/bpf_prog_type_fuse        u:object_r:sysfs_fs_fuse_bpf:s0
+genfscon sysfs /fs/fuse/features                  u:object_r:sysfs_fs_fuse_features:s0
 genfscon sysfs /fs/incremental-fs/features        u:object_r:sysfs_fs_incfs_features:s0
 genfscon sysfs /fs/incremental-fs/instances       u:object_r:sysfs_fs_incfs_metrics:s0
 genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0

private/isolated_app_all.te

diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index bb9da6c..200af1b 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te
@@ -95,6 +95,7 @@
   -sysfs_devices_system_cpu
   -sysfs_transparent_hugepage
   -sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
+  -sysfs_fs_fuse_features
   -sysfs_fs_incfs_features
 }:file no_rw_file_perms;
 

public/file.te

diff --git a/public/file.te b/public/file.te
index 9ca6802..da76aee 100644
--- a/public/file.te
+++ b/public/file.te
@@ -123,6 +123,7 @@
 type sysfs_fs_ext4_features, sysfs_type, fs_type;
 type sysfs_fs_f2fs, sysfs_type, fs_type;
 type sysfs_fs_fuse_bpf, sysfs_type, fs_type;
+type sysfs_fs_fuse_features, sysfs_type, fs_type;
 type sysfs_fs_incfs_features, sysfs_type, fs_type;
 type sysfs_fs_incfs_metrics, sysfs_type, fs_type;
 type sysfs_vendor_sched, sysfs_type, fs_type;