Allow init to stat the root directory of FUSE filesystems. init has a mount handler that stats mount-points for block devices; on devices without sdcardfs, that handler will stat the FUSE filesystem, since we have a bindmount on FUSE to the lower filesystem, which is an actual block device. Test: no more denial on cf without sdcardfs Change-Id: Idb351f5ccba00440f4f8b39616de76336bb81a1b

commit: a0fa53ead6783ac24512a3e235430e92b2739e57 [log] [tgz]
author: Martijn Coenen <maco@google.com> Fri Feb 14 17:14:09 2020 +0100
committer: Martijn Coenen <maco@google.com> Fri Feb 14 17:17:36 2020 +0100
tree: 89d1e1d4f4575fc4501fb87e0de120a3d732c7aa
parent: 2ddfad3709f6499f87e162eb803256c797e0f634 [diff]
diff --git a/public/init.te b/public/init.te
index 19c7e4b..cfca727 100644
--- a/public/init.te
+++ b/public/init.te

@@ -574,6 +574,9 @@
 allow init system_bootstrap_lib_file:dir r_dir_perms;
 allow init system_bootstrap_lib_file:file { execute read open getattr map };
 
+# stat the root dir of fuse filesystems (for the mount handler)
+allow init fuse:dir { search getattr };
+
 ###
 ### neverallow rules
 ###
commit	a0fa53ead6783ac24512a3e235430e92b2739e57	[log] [tgz]
author	Martijn Coenen <maco@google.com>	Fri Feb 14 17:14:09 2020 +0100
committer	Martijn Coenen <maco@google.com>	Fri Feb 14 17:17:36 2020 +0100
tree	89d1e1d4f4575fc4501fb87e0de120a3d732c7aa
parent	2ddfad3709f6499f87e162eb803256c797e0f634 [diff]