From 24f3bcdb8fc6e6490438f496c1bf1d45b9caeec9 Mon Sep 17 00:00:00 2001
From: Jeff Sharkey <jsharkey@android.com>
Date: Tue, 30 Jun 2015 15:56:46 -0700
Subject: [PATCH] Let Zygote unmount inherited storage devices.

For example, when launching into an isolated process, we need to drop
all mounts inherited from the root namespace.

avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=1

Bug: 22192518
Change-Id: Iafbea2c365c1080bdf20d7fa066c304901e582ba
---
 zygote.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/zygote.te b/zygote.te
index 598589e92..7029344ae 100644
--- a/zygote.te
+++ b/zygote.te
@@ -54,6 +54,7 @@ allow zygote sdcard_type:dir { write search setattr create add_name mounton }; #
 dontaudit zygote self:capability fsetid; # TODO: deprecated in M
 allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: deprecated in M
 allow zygote tmpfs:filesystem { mount unmount };
+allow zygote fuse:filesystem { unmount };
 allow zygote labeledfs:filesystem remount; # TODO: deprecated in M
 
 # Allowed to create user-specific storage source if started before vold
-- 
GitLab