Allow MediaProvider to host FUSE devices.
This change is part of enabling upcoming platform changes that are
described in the bug linked below.
Bug: 135341433
Test: m
Change-Id: I6ef499b0d5aa403f8eb6699649a201d8cc004bc5
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index be0a598..d496e90 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te
@@ -137,8 +137,8 @@
')
}:dir_file_class_set { create unlink };
-# No untrusted component should be touching /dev/fuse
-neverallow all_untrusted_apps fuse_device:chr_file *;
+# No untrusted component except mediaprovider should be touching /dev/fuse
+neverallow { all_untrusted_apps -mediaprovider } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;
diff --git a/private/mediaprovider.te b/private/mediaprovider.te
index 30d3fe0..6926412 100644
--- a/private/mediaprovider.te
+++ b/private/mediaprovider.te
@@ -34,6 +34,9 @@
# MtpServer uses /dev/mtp_usb
allow mediaprovider mtp_device:chr_file rw_file_perms;
+# Fuse daemon
+allow mediaprovider fuse_device:chr_file { read write ioctl getattr };
+
# MtpServer uses /dev/usb-ffs/mtp
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;