| Alfred Piccioni | 30ae427 | 2023-01-17 18:22:34 +0100 | [diff] [blame^] | 1 | # Compartmentalized domain specifically for mounting fuseblk filesystems. |
| 2 | # We need this to not grant fuseblkd_untrusted sys_admin permissions. |
| 3 | type fuseblkd_exec, system_file_type, exec_type, file_type; |
| 4 | type fuseblkd, domain; |
| 5 | |
| 6 | typeattribute fuseblkd coredomain; |
| 7 | |
| 8 | # Required for mount and unmounting. We can't minimize this permission, |
| 9 | # even though we only allow mount/unmount. |
| 10 | allow fuseblkd self:global_capability_class_set sys_admin; |
| 11 | |
| 12 | # Permissions for the fuseblk filesystem. |
| 13 | allow fuseblkd fuse_device:chr_file rw_file_perms; |
| 14 | allow fuseblkd fuseblk:filesystem { mount unmount }; |
| 15 | allow fuseblkd fuseblkd_untrusted:fd use; |
| 16 | |
| 17 | # Look through block devices to find the correct one. |
| 18 | allow fuseblkd block_device:dir search; |
| 19 | |
| 20 | # Permissions to mount on the media_rw directory for USB drives. |
| 21 | allow fuseblkd mnt_media_rw_file:dir search; |
| 22 | allow fuseblkd mnt_media_rw_stub_file:dir mounton; |
| 23 | |
| 24 | ### |
| 25 | ### neverallow rules |
| 26 | ### |
| 27 | |
| 28 | # Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary. |
| 29 | neverallow { domain -fuseblkd_untrusted } fuseblkd:process transition; |
| 30 | neverallow * fuseblkd:process dyntransition; |
| 31 | neverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint; |