Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9ec532752d38812ab32fca14e0965c0548a38fa1^! / . / private / ephemeral_app.te
commit9ec532752d38812ab32fca14e0965c0548a38fa1[log] [tgz]
authorThiƩbaud Weksteen <tweek@google.com>Wed Jun 23 10:21:49 2021 +0200
committerThiƩbaud Weksteen <tweek@google.com>Mon Jun 28 13:18:46 2021 +0200
tree5b4a66deac732d58e83c29fcf3ebf20548ace6fe
parent2dd76a76f33db930592bb9180eb9a4432228ad6a [diff] [blame]
Add fusefs_type for FUSE filesystems

Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().

Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).

This change:
- Remove the neverallow restriction on this new type. This means any
  custom FUSE implementation can be mounted/unmounted (if the correct
  allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
  See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
  for compatibility reason.

Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f

diff --git a/private/ephemeral_app.te b/private/ephemeral_app.te
index e004891..3b916e2 100644
--- a/private/ephemeral_app.te
+++ b/private/ephemeral_app.te

@@ -17,7 +17,7 @@
 app_domain(ephemeral_app)
 
 # Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
@@ -87,8 +87,8 @@
 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
 
 # Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
 
 # Avoid reads to proc_net, it contains too much device wide information about
 # ongoing connections.