Add fusefs_type for FUSE filesystems
Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().
Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).
This change:
- Remove the neverallow restriction on this new type. This means any
custom FUSE implementation can be mounted/unmounted (if the correct
allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
for compatibility reason.
Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f
diff --git a/private/adbd.te b/private/adbd.te
index c2c6164..c19630f 100644
--- a/private/adbd.te
+++ b/private/adbd.te
@@ -77,8 +77,8 @@
allow adbd tmpfs:dir search;
allow adbd rootfs:lnk_file r_file_perms; # /sdcard symlink
allow adbd tmpfs:lnk_file r_file_perms; # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
+allow adbd { sdcard_type fuse }:dir create_dir_perms;
+allow adbd { sdcard_type fuse }:file create_file_perms;
# adb pull /data/anr/traces.txt
allow adbd anr_data_file:dir r_dir_perms;
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index 096a41b..e64462e 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -131,6 +131,7 @@
neverallow { all_untrusted_apps -mediaprovider } {
fs_type
-sdcard_type
+ -fuse
file_type
-app_data_file # The apps sandbox itself
-privapp_data_file
diff --git a/private/audioserver.te b/private/audioserver.te
index feda8d4..ca29373 100644
--- a/private/audioserver.te
+++ b/private/audioserver.te
@@ -7,6 +7,7 @@
tmpfs_domain(audioserver)
r_dir_file(audioserver, sdcard_type)
+r_dir_file(audioserver, fuse)
binder_use(audioserver)
binder_call(audioserver, binderservicedomain)
diff --git a/private/domain.te b/private/domain.te
index b91d36d..63e1bde 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -354,8 +354,8 @@
} self:global_capability_class_set dac_read_search;
# Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
+# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
+# set of domains need this capability, including device-specific domains.
neverallow {
domain
-apexd
@@ -369,6 +369,7 @@
-zygote
} { fs_type
-sdcard_type
+ -fusefs_type
}:filesystem { mount remount relabelfrom relabelto };
enforce_debugfs_restriction(`
diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e004891..3b916e2 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te
@@ -17,7 +17,7 @@
app_domain(ephemeral_app)
# Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
# Some apps ship with shared libraries and binaries that they write out
# to their sandbox directory and then execute.
@@ -87,8 +87,8 @@
neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
# Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
# Avoid reads to proc_net, it contains too much device wide information about
# ongoing connections.
diff --git a/private/gsid.te b/private/gsid.te
index 8a13cb1..2ccc51c 100644
--- a/private/gsid.te
+++ b/private/gsid.te
@@ -84,7 +84,7 @@
# gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
allow gsid { shell su }:fifo_file r_file_perms;
# Allow installing images from /storage/emulated/...
- allow gsid sdcard_type:file r_file_perms;
+ allow gsid { sdcard_type fuse }:file r_file_perms;
')
neverallow {
diff --git a/private/isolated_app.te b/private/isolated_app.te
index 71749c0..800775b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te
@@ -33,7 +33,7 @@
# neverallow rules below.
# media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
# is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
+allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
# For webviews, isolated_app processes can be forked from the webview_zygote
# in addition to the zygote. Allow access to resources inherited from the
@@ -110,10 +110,10 @@
# Do not allow isolated_app to access external storage, except for files passed
# via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
+neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
# Do not allow USB access
neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;
diff --git a/private/surfaceflinger.te b/private/surfaceflinger.te
index 7a92bd4..8203724 100644
--- a/private/surfaceflinger.te
+++ b/private/surfaceflinger.te
@@ -142,7 +142,7 @@
# Do not allow accessing SDcard files as unsafe ejection could
# cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
+neverallow surfaceflinger { sdcard_type fuse }:file rw_file_perms;
# b/68864350
dontaudit surfaceflinger unlabeled:dir search;
diff --git a/private/system_server.te b/private/system_server.te
index f35f9a8..d76a2a8 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -965,7 +965,7 @@
# Allow statfs() on storage devices, which happens fast enough that
# we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
+allow system_server { sdcard_type fuse }:dir { getattr search };
# Traverse into expanded storage
allow system_server mnt_expand_file:dir r_dir_perms;
@@ -1159,8 +1159,8 @@
# Do not allow opening files from external storage as unsafe ejection
# could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
+neverallow system_server { sdcard_type fuse }:dir { open read write };
+neverallow system_server { sdcard_type fuse }:file rw_file_perms;
# system server should never be operating on zygote spawned app data
# files directly. Rather, they should always be passed via a
diff --git a/private/zygote.te b/private/zygote.te
index dd42a81..de64c8f 100644
--- a/private/zygote.te
+++ b/private/zygote.te
@@ -152,8 +152,8 @@
allow zygote storage_file:dir { search mounton };
# Allow mounting and creating files, dirs on sdcardfs.
-allow zygote { sdcard_type }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type }:file { create_file_perms };
+allow zygote { sdcard_type fuse }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type fuse }:file { create_file_perms };
# Handle --invoke-with command when launching Zygote with a wrapper command.
allow zygote zygote_exec:file rx_file_perms;