| Inseob Kim | e138997 | 2021-07-19 07:48:34 +0000 | [diff] [blame] | 1 | # zipfuse is a FUSE daemon running in the microdroid. It mounts |
| 2 | # /dev/block/by-name/microdroid-apk whose content is from an apk file on |
| 3 | # /mnt/apk so that the entries in the apk file are seen as regular files. See |
| 4 | # packages/modules/Virtualization/zipfuse. |
| 5 | |
| 6 | type zipfuse, domain, coredomain; |
| 7 | type zipfuse_exec, exec_type, file_type, system_file_type; |
| 8 | |
| 9 | # allow domain transition from init |
| 10 | init_daemon_domain(zipfuse) |
| 11 | |
| Jooyung Han | 53c773a | 2021-09-09 18:21:47 +0900 | [diff] [blame] | 12 | # zipfuse is using bootstrap bionic |
| 13 | allow zipfuse system_bootstrap_lib_file:dir r_dir_perms; |
| 14 | allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map }; |
| 15 | |
| Inseob Kim | e138997 | 2021-07-19 07:48:34 +0000 | [diff] [blame] | 16 | # allow basic rules to implement FUSE |
| 17 | allow zipfuse fuse_device:chr_file rw_file_perms; |
| 18 | allow zipfuse self:global_capability_class_set sys_admin; |
| 19 | |
| 20 | # allow access to /dev/vd* block device files and also access to the symlinks |
| 21 | # /dev/block/by-name/* |
| 22 | allow zipfuse block_device:dir r_dir_perms; |
| 23 | allow zipfuse block_device:lnk_file r_file_perms; |
| 24 | |
| 25 | # /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-* |
| 26 | allow zipfuse dm_device:blk_file r_file_perms; |
| 27 | |
| 28 | # allow mounting on /mnt/apk |
| 29 | allow zipfuse tmpfs:dir mounton; |
| 30 | |
| 31 | # allow mounting with fscontext=u:object_r:zipfusefs:s0 |
| 32 | type zipfusefs, fs_type, contextmount_type; |
| 33 | allow zipfuse fuse:filesystem relabelfrom; |
| 34 | allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto }; |
| 35 | |
| 36 | # allow mounting with context=u:object_r:system_file:s0 so that files provided |
| 37 | # by zipfuse are treated the same as the other files in /system or /apex |
| 38 | allow system_file zipfusefs:filesystem associate; |