platform_system_sepolicy/private/fuseblkd.te

# Compartmentalized domain specifically for mounting fuseblk filesystems.
# We need this to not grant fuseblkd_untrusted sys_admin permissions.
type fuseblkd_exec, system_file_type, exec_type, file_type;
type fuseblkd, domain;

typeattribute fuseblkd coredomain;

# Required for mount and unmounting. We can't minimize this permission,
# even though we only allow mount/unmount.
allow fuseblkd self:global_capability_class_set sys_admin;

# Permissions for the fuseblk filesystem.
allow fuseblkd fuse_device:chr_file rw_file_perms;
allow fuseblkd fuseblk:filesystem { mount unmount };
allow fuseblkd fuseblkd_untrusted:fd use;

# Look through block devices to find the correct one.
allow fuseblkd block_device:dir search;

# Permissions to mount on the media_rw directory for USB drives.
allow fuseblkd mnt_media_rw_file:dir search;
allow fuseblkd mnt_media_rw_stub_file:dir mounton;

###
### neverallow rules
###

# Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary.
neverallow { domain -fuseblkd_untrusted } fuseblkd:process transition;
neverallow * fuseblkd:process dyntransition;
neverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint;
Adds support for fuseblk binaries. This is a rather large, single change to the SEPolicies, as fuseblk required multiple new domains. The goal is to allow any fuseblk drivers to also use the same sepolicy. Note the compartmentalized domain for sys_admin and mount/unmount permissions. Bug: 254407246 Test: Extensive testing with an ADT-4 and NTFS USB drives. Change-Id: I6619ac77ce44ba60edd6ab10e8436a8712459b48 2023-01-17 18:22:34 +01:00			`# Compartmentalized domain specifically for mounting fuseblk filesystems.`
			`# We need this to not grant fuseblkd_untrusted sys_admin permissions.`
			`type fuseblkd_exec, system_file_type, exec_type, file_type;`
			`type fuseblkd, domain;`

			`typeattribute fuseblkd coredomain;`

			`# Required for mount and unmounting. We can't minimize this permission,`
			`# even though we only allow mount/unmount.`
			`allow fuseblkd self:global_capability_class_set sys_admin;`

			`# Permissions for the fuseblk filesystem.`
			`allow fuseblkd fuse_device:chr_file rw_file_perms;`
			`allow fuseblkd fuseblk:filesystem { mount unmount };`
			`allow fuseblkd fuseblkd_untrusted:fd use;`

			`# Look through block devices to find the correct one.`
			`allow fuseblkd block_device:dir search;`

			`# Permissions to mount on the media_rw directory for USB drives.`
			`allow fuseblkd mnt_media_rw_file:dir search;`
			`allow fuseblkd mnt_media_rw_stub_file:dir mounton;`

			`###`
			`### neverallow rules`
			`###`

			`# Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary.`
			`neverallow { domain -fuseblkd_untrusted } fuseblkd:process transition;`
			`neverallow * fuseblkd:process dyntransition;`
			`neverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint;`