Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 6b5da95419208ab6f3a35a3dfd6ca37eb32ad7f8^! / . / private
commit6b5da95419208ab6f3a35a3dfd6ca37eb32ad7f8[log] [tgz]
authorPaul Lawrence <paullawrence@google.com>Wed Mar 01 14:32:25 2023 -0800
committerPaul Lawrence <paullawrence@google.com>Wed Mar 01 14:45:57 2023 -0800
tree4972907cb76c559d673836442388a405f6104345
parent05f8ebe1db705dba367b54ae0b4e0d5d9215d448 [diff]
Use kernel sys/fs/fuse/features/fuse_bpf flag to enable fuse_bpf

Bug: 262887267
Test: ro.fuse.bpf.is_running is true
Change-Id: I9c4a54e9ac232e9f35a6be5b3bcc3cc040d64b47

diff --git a/private/compat/33.0/33.0.ignore.cil b/private/compat/33.0/33.0.ignore.cil
index 3b61f73..089b0bb 100644
--- a/private/compat/33.0/33.0.ignore.cil
+++ b/private/compat/33.0/33.0.ignore.cil

@@ -55,6 +55,7 @@
     servicemanager_prop
     shutdown_checkpoints_system_data_file
     stats_config_data_file
+    sysfs_fs_fuse_features
     system_net_netd_service
     timezone_metadata_prop
     traced_oome_heap_session_count_prop

diff --git a/private/domain.te b/private/domain.te
index 1e5e0f5..1c27662 100644
--- a/private/domain.te
+++ b/private/domain.te

@@ -56,6 +56,9 @@
 # Everyone can access the IncFS list of features.
 r_dir_file(domain, sysfs_fs_incfs_features);
 
+# Everyone can access the fuse list of features.
+r_dir_file(domain, sysfs_fs_fuse_features);
+
 # Path resolution access in cgroups.
 allow domain cgroup:dir search;
 allow { domain -appdomain -rs } cgroup:dir w_dir_perms;

diff --git a/private/genfs_contexts b/private/genfs_contexts
index f5a92ac..8e35c46 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts

@@ -150,6 +150,7 @@
 genfscon sysfs /fs/ext4/features                  u:object_r:sysfs_fs_ext4_features:s0
 genfscon sysfs /fs/f2fs                           u:object_r:sysfs_fs_f2fs:s0
 genfscon sysfs /fs/fuse/bpf_prog_type_fuse        u:object_r:sysfs_fs_fuse_bpf:s0
+genfscon sysfs /fs/fuse/features                  u:object_r:sysfs_fs_fuse_features:s0
 genfscon sysfs /fs/incremental-fs/features        u:object_r:sysfs_fs_incfs_features:s0
 genfscon sysfs /fs/incremental-fs/instances       u:object_r:sysfs_fs_incfs_metrics:s0
 genfscon sysfs /power/autosleep u:object_r:sysfs_power:s0

diff --git a/private/isolated_app_all.te b/private/isolated_app_all.te
index bb9da6c..200af1b 100644
--- a/private/isolated_app_all.te
+++ b/private/isolated_app_all.te

@@ -95,6 +95,7 @@
   -sysfs_devices_system_cpu
   -sysfs_transparent_hugepage
   -sysfs_usb # TODO: check with audio team if needed for isolated_apps (b/28417852)
+  -sysfs_fs_fuse_features
   -sysfs_fs_incfs_features
 }:file no_rw_file_perms;