Add new rules for appfuse. am: a20802dd

am: 0912601e

* commit '0912601e':
  Add new rules for appfuse.

device.te

@@ -41,7 +41,7 @@ type urandom_device, dev_type, mlstrustedobject;
 type video_device, dev_type;
 type vcs_device, dev_type;
 type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type;
+type fuse_device, dev_type, mlstrustedobject;
 type iio_device, dev_type;
 type ion_device, dev_type, mlstrustedobject;
 type gps_device, dev_type;

domain.te

@@ -517,3 +517,22 @@ neverallow domain domain:file { execute execute_no_trans entrypoint };
 # more specific label.
 # TODO: fix system_server and dumpstate
 neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+
+neverallow {
+  domain
+  -init
+  -recovery
+  -sdcardd
+  -vold
+} fuse_device:chr_file open;
+neverallow {
+  domain
+  -dumpstate
+  -init
+  -priv_app
+  -recovery
+  -sdcardd
+  -system_server
+  -ueventd
+  -vold
+} fuse_device:chr_file *;

priv_app.te

@@ -66,6 +66,10 @@ userdebug_or_eng(`
 # the system partition
 allow priv_app exec_type:file getattr;
 
+# For AppFuse.
+allow priv_app vold:fd use;
+allow priv_app fuse_device:chr_file { read write };
+
 ###
 ### neverallow rules
 ###

system_server.te

@@ -447,6 +447,10 @@ userdebug_or_eng(`
   allow system_server kernel:system syslog_read;
 ')
 
+# For AppFuse.
+allow system_server vold:fd use;
+allow system_server fuse_device:chr_file { read write ioctl };
+
 ###
 ### Neverallow rules
 ###

vold.te

@@ -164,6 +164,9 @@ allow vold self:capability sys_nice;
 allow vold self:capability sys_chroot;
 allow vold storage_file:dir mounton;
 
+# For AppFuse.
+allow vold fuse_device:chr_file rw_file_perms;
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;