| Inseob Kim | e138997 | 2021-07-19 07:48:34 +0000 | [diff] [blame] | 1 | # zipfuse is a FUSE daemon running in the microdroid. It mounts |
| 2 | # /dev/block/by-name/microdroid-apk whose content is from an apk file on |
| 3 | # /mnt/apk so that the entries in the apk file are seen as regular files. See |
| 4 | # packages/modules/Virtualization/zipfuse. |
| 5 | |
| 6 | type zipfuse, domain, coredomain; |
| 7 | type zipfuse_exec, exec_type, file_type, system_file_type; |
| 8 | |
| Jooyung Han | 53c773a | 2021-09-09 18:21:47 +0900 | [diff] [blame] | 9 | # zipfuse is using bootstrap bionic |
| Jiyong Park | 16c1ae3 | 2022-01-23 23:55:41 +0900 | [diff] [blame] | 10 | use_bootstrap_libs(zipfuse) |
| Jooyung Han | 53c773a | 2021-09-09 18:21:47 +0900 | [diff] [blame] | 11 | |
| Inseob Kim | e138997 | 2021-07-19 07:48:34 +0000 | [diff] [blame] | 12 | # allow basic rules to implement FUSE |
| 13 | allow zipfuse fuse_device:chr_file rw_file_perms; |
| 14 | allow zipfuse self:global_capability_class_set sys_admin; |
| 15 | |
| 16 | # allow access to /dev/vd* block device files and also access to the symlinks |
| 17 | # /dev/block/by-name/* |
| 18 | allow zipfuse block_device:dir r_dir_perms; |
| 19 | allow zipfuse block_device:lnk_file r_file_perms; |
| 20 | |
| 21 | # /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-* |
| 22 | allow zipfuse dm_device:blk_file r_file_perms; |
| 23 | |
| 24 | # allow mounting on /mnt/apk |
| 25 | allow zipfuse tmpfs:dir mounton; |
| 26 | |
| 27 | # allow mounting with fscontext=u:object_r:zipfusefs:s0 |
| 28 | type zipfusefs, fs_type, contextmount_type; |
| 29 | allow zipfuse fuse:filesystem relabelfrom; |
| 30 | allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto }; |
| 31 | |
| 32 | # allow mounting with context=u:object_r:system_file:s0 so that files provided |
| 33 | # by zipfuse are treated the same as the other files in /system or /apex |
| 34 | allow system_file zipfusefs:filesystem associate; |
| Inseob Kim | 2df19cb | 2021-11-25 11:25:44 +0900 | [diff] [blame] | 35 | |
| 36 | # allow zipfuse to log to the kernel |
| 37 | allow zipfuse kmsg_device:chr_file w_file_perms; |
| 38 | |
| Inseob Kim | e987dcf | 2022-11-21 15:23:47 +0900 | [diff] [blame] | 39 | # allow zipfuse to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager. |
| 40 | allow zipfuse kmsg_debug_device:chr_file w_file_perms; |
| 41 | |
| Inseob Kim | 8565b96 | 2021-11-29 14:56:46 +0900 | [diff] [blame] | 42 | # allow zipfuse to handle extra apks |
| 43 | r_dir_file(zipfuse, extra_apk_file) |
| 44 | allow zipfuse extra_apk_file:dir mounton; |
| 45 | |
| Inseob Kim | 2df19cb | 2021-11-25 11:25:44 +0900 | [diff] [blame] | 46 | # zipfuse is forked from microdroid_manager |
| Inseob Kim | 2df19cb | 2021-11-25 11:25:44 +0900 | [diff] [blame] | 47 | allow zipfuse microdroid_manager:fd use; |
| 48 | |
| Alan Stokes | fb9911a | 2022-10-07 16:34:17 +0100 | [diff] [blame] | 49 | # allow signalling when the mount is ready |
| 50 | set_prop(zipfuse, microdroid_manager_zipfuse_prop) |
| 51 | |
| Inseob Kim | 2df19cb | 2021-11-25 11:25:44 +0900 | [diff] [blame] | 52 | # Only microdroid_manager can run zipfuse |
| 53 | neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition }; |
| Inseob Kim | 8565b96 | 2021-11-29 14:56:46 +0900 | [diff] [blame] | 54 | |
| 55 | # only zipfuse can mount on extra_apk_file |
| 56 | neverallow { domain -zipfuse } extra_apk_file:dir mounton; |