Gitiles
Code Review Sign In
gerrit.omnirom.org / android_system_sepolicy / 9ec532752d38812ab32fca14e0965c0548a38fa1^! / . / private / isolated_app.te
commit9ec532752d38812ab32fca14e0965c0548a38fa1[log] [tgz]
authorThiƩbaud Weksteen <tweek@google.com>Wed Jun 23 10:21:49 2021 +0200
committerThiƩbaud Weksteen <tweek@google.com>Mon Jun 28 13:18:46 2021 +0200
tree5b4a66deac732d58e83c29fcf3ebf20548ace6fe
parent2dd76a76f33db930592bb9180eb9a4432228ad6a [diff] [blame]
Add fusefs_type for FUSE filesystems

Any FUSE filesystem will receive the 'fuse' type when mounted. It is
possible to change this behaviour by specifying the "context=" or
"fscontext=" option in mount().

Because 'fuse' has historically been used only for the emulated storage,
it also received the 'sdcard_type' attribute. Replace the 'sdcard_type'
attribute from 'fuse' with the new 'fusefs_type'. This attribute can be
attached on derived types (such as app_fusefs).

This change:
- Remove the neverallow restriction on this new type. This means any
  custom FUSE implementation can be mounted/unmounted (if the correct
  allow rule is added). See domain.te.
- Change the attribute of 'fuse' from 'sdcard_type' to 'fusefs_type'.
  See file.te.
- Modify all references to 'sdcard_type' to explicitly include 'fuse'
  for compatibility reason.

Bug: 177481425
Bug: 190804537
Test: Build and boot aosp_cf_x86_64_phone-userdebug
Change-Id: Id4e410a049f72647accd4c3cf43eaa55e94c318f

diff --git a/private/isolated_app.te b/private/isolated_app.te
index 71749c0..800775b 100644
--- a/private/isolated_app.te
+++ b/private/isolated_app.te

@@ -33,7 +33,7 @@
 # neverallow rules below.
 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
 # is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
+allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
 
 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the
@@ -110,10 +110,10 @@
 
 # Do not allow isolated_app to access external storage, except for files passed
 # via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
 neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
+neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
 
 # Do not allow USB access
 neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;