commit cf1eb370d87dd6318541da2d27b21aaf147b02e8
author Jiyong Park <jiyong@google.com> Mon May 17 21:50:51 2021 +0900
committer Jiyong Park <jiyong@google.com> Tue May 25 14:10:55 2021 +0900
tree baca51a5764fe859b82cc46078430625d7391c14
parent 20af5f1e4e3037616ce12924859f64ab0ef06971

Allow zipfuse to mount /dev/vd* on /mnt/apk

zipfuse is a FUSE implementation that runs in microdroid. In the virtual
machine, it reads a block device (/dev/vd* via the symlink
/dev/block/by-name/microdroid-apk) whose content is read from an apk
in the host side. Then the makes the entries in the zip file (apk is
also a zip) as regular files in the virtual machine.

Note that the filesystem is mounted as default 'fuse:filesystem' because
it's mounted without the `fcontext` option, which is due to the libfuse
library we are importing from crosvm (b/188400186).

Bug: 188388851
Test: atest MicrodroidHostTestCases
Change-Id: Ide9bac88088535f4f335f2725fa929d23015e6e1

private/domain.te

diff --git a/private/domain.te b/private/domain.te
index b91d36d..5a1eab1 100644
--- a/private/domain.te
+++ b/private/domain.te
@@ -367,6 +367,7 @@
     -update_engine
     -vold
     -zygote
+    -zipfuse
 } { fs_type
     -sdcard_type
 }:filesystem { mount remount relabelfrom relabelto };

private/zipfuse.te

diff --git a/private/zipfuse.te b/private/zipfuse.te
new file mode 100644
index 0000000..9d5faad
--- /dev/null
+++ b/private/zipfuse.te
@@ -0,0 +1,34 @@
+# zipfuse is a FUSE daemon running in the microdroid. It mounts
+# /dev/block/by-name/microdroid-apk whose content is from an apk file on
+# /mnt/apk so that the entries in the apk file are seen as regular files. See
+# packages/modules/Virtualization/zipfuse.
+
+type zipfuse, domain, coredomain;
+type zipfuse_exec, exec_type, file_type, system_file_type;
+
+# allow domain transition from init
+init_daemon_domain(zipfuse)
+
+# allow basic rules to implement FUSE
+allow zipfuse fuse_device:chr_file rw_file_perms;
+allow zipfuse self:global_capability_class_set sys_admin;
+
+# allow access to /dev/vd* block device files and also access to the symlinks
+# /dev/block/by-name/*
+allow zipfuse block_device:dir r_dir_perms;
+allow zipfuse block_device:lnk_file r_file_perms;
+allow zipfuse vd_device:blk_file r_file_perms;
+
+# allow mounting on /mnt/apk
+allow zipfuse tmpfs:dir mounton;
+
+# TODO(b/188400186) uncomment the following when this filesystem is mounted with
+# fscontext=u:object_r:zipfusefs:s0
+# type zipfusefs, fs_type, contextmount_type;
+# allow zipfuse fuse:filesystem relabelfrom;
+# allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
+
+# TODO(b/188400186) remove this when this filesystem is mounted with correct fcontext
+userdebug_or_eng(`
+  allow zipfuse fuse:filesystem mount;
+')