commit e178ac5a7147f6f808844ab9ba4f0d6eb948cb88
author Daichi Hirono <hirono@google.com> Thu Jan 28 15:48:39 2016 +0900
committer Daichi Hirono <hirono@google.com> Fri Feb 05 16:10:53 2016 +0900
tree 47e6e293e7bf8cbe5182674c2ad2de2ef3875ffb
parent d1435604455e5e274c88f6ee0308c7881cddaf20

Add SELinux label for app fuse.

The labels for filesystem and files are assigned by vold with using
context= mount option.

Change-Id: I8a9d701a46a333093a27107fc3c52b17a2af1a94

app.te

diff --git a/app.te b/app.te
index 6ad58a6..993c025 100644
--- a/app.te
+++ b/app.te
@@ -209,6 +209,9 @@
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write };
+
 ###
 ### CTS-specific rules
 ###

file.te

diff --git a/file.te b/file.te
index 81ff887..d205c56 100644
--- a/file.te
+++ b/file.te
@@ -50,6 +50,7 @@
 type oemfs, fs_type, contextmount_type;
 type usbfs, fs_type;
 type binfmt_miscfs, fs_type;
+type app_fusefs, fs_type, contextmount_type;
 
 # File types
 type unlabeled, file_type;
@@ -169,6 +170,8 @@
 type bluetooth_efs_file, file_type;
 # Type for fingerprint template file.
 type fingerprintd_data_file, file_type, data_file_type;
+# Type for appfuse file.
+type app_fuse_file, file_type, data_file_type;
 
 # Socket types
 type adbd_socket, file_type;
@@ -211,6 +214,7 @@
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;
 
 # It's a bug to assign the file_type attribute and fs_type attribute
 # to any type. Do not allow it.

mediaserver.te

diff --git a/mediaserver.te b/mediaserver.te
index 6006f02..7e20002 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -66,6 +66,9 @@
 allow mediaserver audio_data_file:dir ra_dir_perms;
 allow mediaserver audio_data_file:file create_file_perms;
 
+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
 allow mediaserver qtaguid_proc:file rw_file_perms;
 allow mediaserver qtaguid_device:chr_file r_file_perms;

priv_app.te

diff --git a/priv_app.te b/priv_app.te
index 68b588c..e300d45 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -67,6 +67,8 @@
 # For AppFuse.
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };
+allow priv_app app_fuse_file:dir rw_dir_perms;
+allow priv_app app_fuse_file:file rw_file_perms;
 
 # /sys access
 allow priv_app sysfs_zram:dir search;

vold.te

diff --git a/vold.te b/vold.te
index 67e461a..9a1ccfe 100644
--- a/vold.te
+++ b/vold.te
@@ -174,6 +174,9 @@
 
 # For AppFuse.
 allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };
 
 # coldboot of /sys/block
 allow vold sysfs_zram:dir r_dir_perms;