Allow MediaProvider to host FUSE devices. This change is part of enabling upcoming platform changes that are described in the bug linked below. Bug: 135341433 Test: m Change-Id: I6ef499b0d5aa403f8eb6699649a201d8cc004bc5

commit: b56cc6fb1f8c56e5349661eafe77f43d01842fc7 [log] [tgz]
author: Zim <zezeozue@google.com> Wed Aug 07 19:00:15 2019 +0100
committer: Zim <zezeozue@google.com> Wed Aug 07 19:00:15 2019 +0100
tree: 69989e2096d5f6bced42beaec6eac5122b6ef181
parent: d1936ac945c361296e270abda2d552528c2caa37 [diff] [blame]
diff --git a/private/app_neverallows.te b/private/app_neverallows.te
index be0a598..d496e90 100644
--- a/private/app_neverallows.te
+++ b/private/app_neverallows.te

@@ -137,8 +137,8 @@
   ')
 }:dir_file_class_set { create unlink };
 
-# No untrusted component should be touching /dev/fuse
-neverallow all_untrusted_apps fuse_device:chr_file *;
+# No untrusted component except mediaprovider should be touching /dev/fuse
+neverallow { all_untrusted_apps -mediaprovider } fuse_device:chr_file *;
 
 # Do not allow untrusted apps to directly open the tun_device
 neverallow all_untrusted_apps tun_device:chr_file open;
commit	b56cc6fb1f8c56e5349661eafe77f43d01842fc7	[log] [tgz]
author	Zim <zezeozue@google.com>	Wed Aug 07 19:00:15 2019 +0100
committer	Zim <zezeozue@google.com>	Wed Aug 07 19:00:15 2019 +0100
tree	69989e2096d5f6bced42beaec6eac5122b6ef181
parent	d1936ac945c361296e270abda2d552528c2caa37 [diff] [blame]