Add sepolicy for FUSE control filesystem.
To allow vold to abort it.
Bug: 153411204
Test: vold can access it
Merged-In: I334eaf3459905c27d614db8eda18c27e62bea5fa
Change-Id: I334eaf3459905c27d614db8eda18c27e62bea5fa
diff --git a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
index e54aa77..354e182 100644
--- a/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
+++ b/prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil
@@ -45,6 +45,7 @@
exported_camera_prop
file_integrity_service
fwk_automotive_display_hwservice
+ fusectlfs
gmscore_app
hal_can_bus_hwservice
hal_can_controller_hwservice
diff --git a/prebuilts/api/30.0/private/genfs_contexts b/prebuilts/api/30.0/private/genfs_contexts
index b423e64..51f2ce7 100644
--- a/prebuilts/api/30.0/private/genfs_contexts
+++ b/prebuilts/api/30.0/private/genfs_contexts
@@ -98,6 +98,8 @@
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon fusectl / u:object_r:fusectlfs:s0
+
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
diff --git a/prebuilts/api/30.0/public/domain.te b/prebuilts/api/30.0/public/domain.te
index 6d0faa4..83b9d8a 100644
--- a/prebuilts/api/30.0/public/domain.te
+++ b/prebuilts/api/30.0/public/domain.te
@@ -1295,6 +1295,9 @@
# Do not allow executable files in debugfs.
neverallow domain debugfs_type:file { execute execute_no_trans };
+# Don't allow access to the FUSE control filesystem, except to vold and init's
+neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
diff --git a/prebuilts/api/30.0/public/file.te b/prebuilts/api/30.0/public/file.te
index 462e71d..7f56d9a 100644
--- a/prebuilts/api/30.0/public/file.te
+++ b/prebuilts/api/30.0/public/file.te
@@ -75,6 +75,7 @@
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type selinuxfs, fs_type, mlstrustedobject;
+type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
diff --git a/prebuilts/api/30.0/public/vold.te b/prebuilts/api/30.0/public/vold.te
index 400e32a..c1e8e07 100644
--- a/prebuilts/api/30.0/public/vold.te
+++ b/prebuilts/api/30.0/public/vold.te
@@ -202,6 +202,10 @@
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
# Handle wake locks (used for device encryption)
wakelock_use(vold)
diff --git a/private/compat/29.0/29.0.ignore.cil b/private/compat/29.0/29.0.ignore.cil
index 40e91e2..50bd5ab 100644
--- a/private/compat/29.0/29.0.ignore.cil
+++ b/private/compat/29.0/29.0.ignore.cil
@@ -46,6 +46,7 @@
fastbootd_protocol_prop
file_integrity_service
fwk_automotive_display_hwservice
+ fusectlfs
gmscore_app
gnss_device
hal_can_bus_hwservice
diff --git a/private/genfs_contexts b/private/genfs_contexts
index b423e64..51f2ce7 100644
--- a/private/genfs_contexts
+++ b/private/genfs_contexts
@@ -98,6 +98,8 @@
genfscon proc /vmstat u:object_r:proc_vmstat:s0
genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
+genfscon fusectl / u:object_r:fusectlfs:s0
+
# selinuxfs booleans can be individually labeled.
genfscon selinuxfs / u:object_r:selinuxfs:s0
genfscon cgroup / u:object_r:cgroup:s0
diff --git a/public/domain.te b/public/domain.te
index 3adfcb5..56bf546 100644
--- a/public/domain.te
+++ b/public/domain.te
@@ -1305,6 +1305,9 @@
# Do not allow executable files in debugfs.
neverallow domain debugfs_type:file { execute execute_no_trans };
+# Don't allow access to the FUSE control filesystem, except to vold and init's
+neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
# Profiles contain untrusted data and profman parses that. We should only run
# in from installd forked processes.
neverallow {
diff --git a/public/file.te b/public/file.te
index 8f6b8eb..3a416e4 100644
--- a/public/file.te
+++ b/public/file.te
@@ -75,6 +75,7 @@
type proc_vmstat, fs_type, proc_type;
type proc_zoneinfo, fs_type, proc_type;
type selinuxfs, fs_type, mlstrustedobject;
+type fusectlfs, fs_type;
type cgroup, fs_type, mlstrustedobject;
type cgroup_bpf, fs_type;
type sysfs, fs_type, sysfs_type, mlstrustedobject;
diff --git a/public/vold.te b/public/vold.te
index 400e32a..c1e8e07 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -202,6 +202,10 @@
allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
allow vold unlabeled:file { r_file_perms setattr relabelfrom };
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
# Handle wake locks (used for device encryption)
wakelock_use(vold)