From e178ac5a7147f6f808844ab9ba4f0d6eb948cb88 Mon Sep 17 00:00:00 2001
From: Daichi Hirono <hirono@google.com>
Date: Thu, 28 Jan 2016 15:48:39 +0900
Subject: [PATCH] Add SELinux label for app fuse.

The labels for filesystem and files are assigned by vold with using
context= mount option.

Change-Id: I8a9d701a46a333093a27107fc3c52b17a2af1a94
---
 app.te         | 3 +++
 file.te        | 4 ++++
 mediaserver.te | 3 +++
 priv_app.te    | 2 ++
 vold.te        | 3 +++
 5 files changed, 15 insertions(+)

diff --git a/app.te b/app.te
index 6ad58a675..993c02553 100644
--- a/app.te
+++ b/app.te
@@ -209,6 +209,9 @@ allow appdomain console_device:chr_file { read write };
 
 allow { appdomain -isolated_app } ion_device:chr_file rw_file_perms;
 
+# For app fuse.
+allow appdomain app_fuse_file:file { getattr read append write };
+
 ###
 ### CTS-specific rules
 ###
diff --git a/file.te b/file.te
index 81ff887af..d205c56f5 100644
--- a/file.te
+++ b/file.te
@@ -50,6 +50,7 @@ type functionfs, fs_type;
 type oemfs, fs_type, contextmount_type;
 type usbfs, fs_type;
 type binfmt_miscfs, fs_type;
+type app_fusefs, fs_type, contextmount_type;
 
 # File types
 type unlabeled, file_type;
@@ -169,6 +170,8 @@ type security_file, file_type;
 type bluetooth_efs_file, file_type;
 # Type for fingerprint template file.
 type fingerprintd_data_file, file_type, data_file_type;
+# Type for appfuse file.
+type app_fuse_file, file_type, data_file_type;
 
 # Socket types
 type adbd_socket, file_type;
@@ -211,6 +214,7 @@ allow file_type labeledfs:filesystem associate;
 allow file_type tmpfs:filesystem associate;
 allow file_type rootfs:filesystem associate;
 allow dev_type tmpfs:filesystem associate;
+allow app_fuse_file app_fusefs:filesystem associate;
 
 # It's a bug to assign the file_type attribute and fs_type attribute
 # to any type. Do not allow it.
diff --git a/mediaserver.te b/mediaserver.te
index 6006f0265..7e200023c 100644
--- a/mediaserver.te
+++ b/mediaserver.te
@@ -66,6 +66,9 @@ r_dir_file(mediaserver, media_rw_data_file)
 allow mediaserver audio_data_file:dir ra_dir_perms;
 allow mediaserver audio_data_file:file create_file_perms;
 
+# Grant access to read files on appfuse.
+allow mediaserver app_fuse_file:file { read getattr };
+
 # Read/[write] to /proc/net/xt_qtaguid/ctrl and /dev/xt_qtaguid
 allow mediaserver qtaguid_proc:file rw_file_perms;
 allow mediaserver qtaguid_device:chr_file r_file_perms;
diff --git a/priv_app.te b/priv_app.te
index 68b588cfb..e300d4568 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -67,6 +67,8 @@ allow priv_app exec_type:file getattr;
 # For AppFuse.
 allow priv_app vold:fd use;
 allow priv_app fuse_device:chr_file { read write };
+allow priv_app app_fuse_file:dir rw_dir_perms;
+allow priv_app app_fuse_file:file rw_file_perms;
 
 # /sys access
 allow priv_app sysfs_zram:dir search;
diff --git a/vold.te b/vold.te
index 67e461a25..9a1ccfe3a 100644
--- a/vold.te
+++ b/vold.te
@@ -174,6 +174,9 @@ allow vold storage_file:dir mounton;
 
 # For AppFuse.
 allow vold fuse_device:chr_file rw_file_perms;
+allow vold fuse:filesystem { relabelfrom };
+allow vold app_fusefs:filesystem { relabelfrom relabelto };
+allow vold app_fusefs:filesystem { mount unmount };
 
 # coldboot of /sys/block
 allow vold sysfs_zram:dir r_dir_perms;
-- 
GitLab