Merge "Add SELinux label for app fuse." am: e3965aa2

am: 52719ea5 * commit '52719ea5': Add SELinux label for app fuse.

Merge "Add SELinux label for app fuse." am: e3965aa2
4e6d20c7 · Daichi Hirono · android-build-merger · fb0c52ad · 52719ea5 · 4e6d20c7
Commit 4e6d20c7 authored 9 years ago by Daichi Hirono Committed by android-build-merger 9 years ago
--- a/app.te
+++ b/app.te
@@ -212,6 +212,9 @@ allowxperm { appdomain -bluetooth } self:{ rawip_socket tcp_socket udp_socket }

 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;

+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write };
+
 ###
 ### CTS-specific rules
 ###

--- a/file.te
+++ b/file.te
@@ -50,6 +50,7 @@ type functionfs, fs_type;
 type oemfs, fs_type, contextmount_type;
 type usbfs, fs_type;
 type binfmt_miscfs, fs_type;
+type app_fusefs, fs_type, contextmount_type;

 # File types
 type unlabeled, file_type;
@@ -173,6 +174,8 @@ type security_file, file_type;
 type bluetooth_efs_file, file_type;
 # Type for fingerprint template file.
 type fingerprintd_data_file, file_type, data_file_type;
+# Type for appfuse file.
+type app_fuse_file, file_type, data_file_type;

 # Socket types
 type adbd_socket, file_type;
@@ -215,6 +218,7 @@ allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;

 # It's a bug to assign the file_type attribute and fs_type attribute
 # to any type. Do not allow it.

--- a/mediaserver.te
+++ b/mediaserver.te
@@ -66,6 +66,9 @@ r_dir_file(mediaserver, media_rw_data_file)
 allow mediaserver audio_data_file:dir ra_dir_perms;
 allow mediaserver audio_data_file:file create_file_perms;

+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
 allow mediaserver qtaguid_proc:file rw_file_perms;
 allow mediaserver qtaguid_device:chr_file r_file_perms;

--- a/priv_app.te
+++ b/priv_app.te
@@ -71,6 +71,8 @@ allow priv_app exec_type:file getattr;
 # For AppFuse.
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };
+allow priv_app app_fuse_file:dir rw_dir_perms;
+allow priv_app app_fuse_file:file rw_file_perms;

 # /sys access
 allow priv_app sysfs_zram:dir search;

--- a/vold.te
+++ b/vold.te
@@ -174,6 +174,9 @@ allow vold storage_file:dir mounton;

 # For AppFuse.
 allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };

 # coldboot of /sys/block
 allow vold sysfs_zram:dir r_dir_perms;