Add new rules for appfuse.
The new rules are used to allow to mount FUSE file system for priv-app.
Change-Id: I5ce2d261be501e2b3fef09b7666f1e5d1cddbe52
diff --git a/device.te b/device.te
index 880212c..06006b2 100644
--- a/device.te
+++ b/device.te
@@ -41,7 +41,7 @@
type video_device, dev_type;
type vcs_device, dev_type;
type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type;
+type fuse_device, dev_type, mlstrustedobject;
type iio_device, dev_type;
type ion_device, dev_type, mlstrustedobject;
type gps_device, dev_type;
diff --git a/domain.te b/domain.te
index 79fb9c6..7b44fb5 100644
--- a/domain.te
+++ b/domain.te
@@ -517,3 +517,22 @@
# more specific label.
# TODO: fix system_server and dumpstate
neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+
+neverallow {
+ domain
+ -init
+ -recovery
+ -sdcardd
+ -vold
+} fuse_device:chr_file open;
+neverallow {
+ domain
+ -dumpstate
+ -init
+ -priv_app
+ -recovery
+ -sdcardd
+ -system_server
+ -ueventd
+ -vold
+} fuse_device:chr_file *;
diff --git a/priv_app.te b/priv_app.te
index 2ff9a37..6617feb 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -64,6 +64,10 @@
# the system partition
allow priv_app exec_type:file getattr;
+# For AppFuse.
+allow priv_app vold:fd use;
+allow priv_app fuse_device:chr_file { read write };
+
###
### neverallow rules
###
diff --git a/system_server.te b/system_server.te
index 2616c46..2a1d761 100644
--- a/system_server.te
+++ b/system_server.te
@@ -434,6 +434,10 @@
allow system_server method_trace_data_file:file { create w_file_perms };
')
+# For AppFuse.
+allow system_server vold:fd use;
+allow system_server fuse_device:chr_file { read write ioctl };
+
###
### Neverallow rules
###
diff --git a/vold.te b/vold.te
index c8952af..35e502f 100644
--- a/vold.te
+++ b/vold.te
@@ -164,6 +164,9 @@
allow vold self:capability sys_chroot;
allow vold storage_file:dir mounton;
+# For AppFuse.
+allow vold fuse_device:chr_file rw_file_perms;
+
neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
neverallow { domain -vold -init } vold_data_file:dir *;