Add fusefs_type for FUSE filesystems
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().
Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).
This change:
- Remove the neverallow restriction on this new type. This means any
custom FUSE implementation can be mounted/unmounted (if the correct
allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
for compatibility reason.
Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
diff --git a/private/adbd.te b/private/adbd.te
index c2c6164..c19630f 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -77,8 +77,8 @@
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
+allow adbd { sdcard_type fuse }:dir create_dir_perms;
+allow adbd { sdcard_type fuse }:file create_file_perms;
# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir r_dir_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 096a41b..e64462e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -131,6 +131,7 @@
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-sdcard_type
+ -fuse
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
diff --git a/private/audioserver.te b/private/audioserver.te
index feda8d4..ca29373 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -7,6 +7,7 @@
tmpfs_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
+r_dir_file(audioserver, fuse)
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
diff --git a/private/domain.te b/private/domain.te
index b91d36d..63e1bde 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -354,8 +354,8 @@
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
+# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
+# set of domains need this capability, including device-specific domains.
neverallow {
domain
-apexd
@@ -369,6 +369,7 @@
-zygote
} { fs_type
-sdcard_type
+ -fusefs_type
}:filesystem { mount remount relabelfrom relabelto };
enforce_debugfs_restriction(`
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e004891..3b916e2 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -17,7 +17,7 @@
app_domain(ephemeral_app)
# Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
@@ -87,8 +87,8 @@
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
diff --git a/private/gsid.te b/private/gsid.te
index 8a13cb1..2ccc51c 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -84,7 +84,7 @@
# gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
allow gsid { shell su }:fifo_file r_file_perms;
# Allow installing images from /storage/emulated/...
- allow gsid sdcard_type:file r_file_perms;
+ allow gsid { sdcard_type fuse }:file r_file_perms;
')
neverallow {
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 71749c0..800775b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -33,7 +33,7 @@
# neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
+allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
@@ -110,10 +110,10 @@
# Do not allow isolated_app to access external storage, except for files passed
# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
+neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 7a92bd4..8203724 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -142,7 +142,7 @@
# Do not allow accessing SDcard files as unsafe ejection could
# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
+neverallow surfaceflinger { sdcard_type fuse }:file rw_file_perms;
# b/68864350
dontaudit surfaceflinger unlabeled:dir search;
diff --git a/private/system_server.te b/private/system_server.te
index f35f9a8..d76a2a8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -965,7 +965,7 @@
# Allow statfs() on storage devices, which happens fast enough that
# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
+allow system_server { sdcard_type fuse }:dir { getattr search };
# Traverse into expanded storage
allow system_server mnt_expand_file:dir r_dir_perms;
@@ -1159,8 +1159,8 @@
# Do not allow opening files from external storage as unsafe ejection
# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
+neverallow system_server { sdcard_type fuse }:dir { open read write };
+neverallow system_server { sdcard_type fuse }:file rw_file_perms;
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
diff --git a/private/zygote.te b/private/zygote.te
index dd42a81..de64c8f 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -152,8 +152,8 @@
allow zygote storage_file:dir { search mounton };
# Allow mounting and creating files, dirs on sdcardfs.
-allow zygote { sdcard_type }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type }:file { create_file_perms };
+allow zygote { sdcard_type fuse }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type fuse }:file { create_file_perms };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;
diff --git a/public/app.te b/public/app.te
index 5527f99..e8178d1 100644
--- a/public/app.te
+++ b/public/app.te
@@ -261,8 +261,8 @@
allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
# Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
# This should be removed if sdcardfs is modified to alter the secontext for its
# accesses to the underlying FS.
allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;
diff --git a/public/attributes b/public/attributes
index 2e01f1e..15c5000 100644
--- a/public/attributes
+++ b/public/attributes
@@ -18,6 +18,12 @@
# All types used for context= mounts.
attribute contextmount_type;
+# All types referencing a FUSE filesystem.
+# When mounting a new FUSE filesystem, the fscontext= option should be used to
+# set a domain-specific type with this attribute. See app_fusefs for an
+# example.
+attribute fusefs_type;
+
# All types used for files that can exist on a labeled fs.
# Do not use for pseudo file types.
# On change, update CHECK_FC_ASSERT_ATTRS
diff --git a/public/drmserver.te b/public/drmserver.te
index eede0fc..d515079 100644
--- a/public/drmserver.te
+++ b/public/drmserver.te
@@ -18,11 +18,11 @@
# Perform Binder IPC to mediaserver
binder_call(drmserver, mediaserver)
-allow drmserver sdcard_type:dir search;
+allow drmserver { sdcard_type fuse }:dir search;
allow drmserver drm_data_file:dir create_dir_perms;
allow drmserver drm_data_file:file create_file_perms;
allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
-allow drmserver sdcard_type:file { read write getattr map };
+allow drmserver { sdcard_type fuse }:file { read write getattr map };
r_dir_file(drmserver, efs_file)
type drmserver_socket, file_type;
diff --git a/public/file.te b/public/file.te
index 20348b5..6ed459e 100644
--- a/public/file.te
+++ b/public/file.te
@@ -138,7 +138,7 @@
type tmpfs, fs_type;
type shm, fs_type;
type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
+type fuse, fusefs_type, fs_type, mlstrustedobject;
type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
type vfat, sdcard_type, fs_type, mlstrustedobject;
type exfat, sdcard_type, fs_type, mlstrustedobject;
@@ -160,7 +160,7 @@
type oemfs, fs_type, contextmount_type;
type usbfs, fs_type;
type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
+type app_fusefs, fs_type, fusefs_type, contextmount_type;
# File types
type unlabeled, file_type;
diff --git a/public/hal_wifi_hostapd.te b/public/hal_wifi_hostapd.te
index 12d72b6..55efc3c 100644
--- a/public/hal_wifi_hostapd.te
+++ b/public/hal_wifi_hostapd.te
@@ -23,5 +23,5 @@
###
# hal_wifi_hostapd should not trust any data from sdcards
-neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_hostapd_server sdcard_type:file *;
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:file *;
diff --git a/public/hal_wifi_supplicant.te b/public/hal_wifi_supplicant.te
index 7361af1..f7c444e 100644
--- a/public/hal_wifi_supplicant.te
+++ b/public/hal_wifi_supplicant.te
@@ -34,5 +34,5 @@
###
# wpa_supplicant should not trust any data from sdcards
-neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_supplicant_server sdcard_type:file *;
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:file *;
diff --git a/public/init.te b/public/init.te
index ea5a979..f606c71 100644
--- a/public/init.te
+++ b/public/init.te
@@ -313,11 +313,12 @@
-keychord_device
-proc_type
-sdcard_type
+ -fusefs_type
-sysfs_type
-rootfs
enforce_debugfs_restriction(`-debugfs_type')
}:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir { open read setattr search };
+allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir { open read setattr search };
allow init {
binder_device
diff --git a/public/installd.te b/public/installd.te
index 08060e3..1134aaa 100644
--- a/public/installd.te
+++ b/public/installd.te
@@ -71,8 +71,8 @@
# Delete /data/media files through sdcardfs, instead of going behind its back
allow installd tmpfs:dir r_dir_perms;
allow installd storage_file:dir search;
-allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
-allow installd sdcard_type:file { getattr unlink };
+allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
+allow installd { sdcard_type fuse }:file { getattr unlink };
# Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
allow installd mirror_data_file:dir { create_dir_perms mounton };
diff --git a/public/kernel.te b/public/kernel.te
index 9aa40cc..902933d 100644
--- a/public/kernel.te
+++ b/public/kernel.te
@@ -56,7 +56,7 @@
allow kernel self:security setcheckreqprot;
# kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel sdcard_type:file { read write };
+allow kernel { sdcard_type fuse }:file { read write };
# f_mtp driver accesses files from kernel context.
allow kernel mediaprovider:fd use;
diff --git a/public/mediaextractor.te b/public/mediaextractor.te
index a29e5dc..1315b8f 100644
--- a/public/mediaextractor.te
+++ b/public/mediaextractor.te
@@ -26,7 +26,7 @@
crash_dump_fallback(mediaextractor)
# allow mediaextractor read permissions for file sources
-allow mediaextractor sdcard_type:file { getattr read };
+allow mediaextractor { sdcard_type fuse }:file { getattr read };
allow mediaextractor media_rw_data_file:file { getattr read };
allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
diff --git a/public/mediaserver.te b/public/mediaserver.te
index ad460e1..0275532 100644
--- a/public/mediaserver.te
+++ b/public/mediaserver.te
@@ -8,6 +8,7 @@
net_domain(mediaserver)
r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, fuse)
r_dir_file(mediaserver, cgroup)
r_dir_file(mediaserver, cgroup_v2)
@@ -30,7 +31,7 @@
allow mediaserver media_data_file:dir create_dir_perms;
allow mediaserver media_data_file:file create_file_perms;
allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
-allow mediaserver sdcard_type:file write;
+allow mediaserver { sdcard_type fuse }:file write;
allow mediaserver gpu_device:chr_file rw_file_perms;
allow mediaserver video_device:dir r_dir_perms;
allow mediaserver video_device:chr_file rw_file_perms;
diff --git a/public/sdcardd.te b/public/sdcardd.te
index bb1c919..220e7d0 100644
--- a/public/sdcardd.te
+++ b/public/sdcardd.te
@@ -10,11 +10,11 @@
allow sdcardd mnt_media_rw_file:dir r_dir_perms;
allow sdcardd storage_file:dir search;
allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
+allow sdcardd { sdcard_type fuse }:filesystem { mount unmount };
allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
+allow sdcardd { sdcard_type fuse }:dir create_dir_perms;
+allow sdcardd { sdcard_type fuse }:file create_file_perms;
allow sdcardd media_rw_data_file:dir create_dir_perms;
allow sdcardd media_rw_data_file:file create_file_perms;
diff --git a/public/vendor_init.te b/public/vendor_init.te
index 0999f48..c6e5e82 100644
--- a/public/vendor_init.te
+++ b/public/vendor_init.te
@@ -140,6 +140,7 @@
-contextmount_type
-keychord_device
-sdcard_type
+ -fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
@@ -153,6 +154,7 @@
fs_type
-contextmount_type
-sdcard_type
+ -fusefs_type
-rootfs
-proc_uid_time_in_state
-proc_uid_concurrent_active_time
diff --git a/public/vold.te b/public/vold.te
index 7796ba8..af3152e 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -86,14 +86,12 @@
allow vold device:dir write;
allow vold devpts:chr_file rw_file_perms;
allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
# Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
# Access to storage that backs emulated FUSE daemons for migration optimization
allow vold media_rw_data_file:dir create_dir_perms;