platform_system_sepolicy/microdroid/system/private/authfs_service.te

# authfs_service is a binder service running on microdroid. It serves the
# client's request and manages the mount/unmount of individual authfs instances
# (a FUSE based filesystem). The service then can pass file descriptor on authfs
# to the client for remote file access.

type authfs_service, domain, coredomain;
type authfs_service_exec, exec_type, file_type, system_file_type;

# Allow domain transition from init.
init_daemon_domain(authfs_service)

# Allow running as a binder service.
binder_call(authfs_service, servicemanager)
add_service(authfs_service, authfs_binder_service)

# Allow domain transition into authfs.
domain_auto_trans(authfs_service, authfs_exec, authfs)

# Allow mounting the FUSE filesystem.
allow authfs_service self:global_capability_class_set sys_admin;

# Allow creating/deleting mount directories.
allow authfs_service authfs_data_file:dir create_dir_perms;

# Allow opening a file from the FUSE mount.
# Note: authfs_service doesn't really need to read and write the file, but the
# check seems to happen on open anyway.
allow authfs_service authfs_fuse:dir search;
allow authfs_service authfs_fuse:file { open read write };

# Allow killing the authfs process and unmount.
allow authfs_service authfs:process sigkill;
allow authfs_service authfs_fuse:filesystem unmount;
SELinux policy for authfs_service and authfs authfs_service is a binder service on microdroid. Upon a request by the client, the service will create the mount directory, execute authfs to mount the FUSE, and finally unmount and delete the mount directory. authfs currently requires more privileges than it should, but it's ok because the client owns the VM, and all input will be verified by signatures. But there is plan to keep the privileges isoated in the service (b/195554831). Bug: 194717985 Bug: 195554831 Test: Start the service from init, use a test executable to call the service API. Only observed denial from the test executable. Change-Id: Ie53aa9e2796433fc3182357039d0b7ba1c0848ef 2021-08-04 02:26:38 +02:00			`# authfs_service is a binder service running on microdroid. It serves the`
			`# client's request and manages the mount/unmount of individual authfs instances`
			`# (a FUSE based filesystem). The service then can pass file descriptor on authfs`
			`# to the client for remote file access.`

			`type authfs_service, domain, coredomain;`
			`type authfs_service_exec, exec_type, file_type, system_file_type;`

			`# Allow domain transition from init.`
			`init_daemon_domain(authfs_service)`

			`# Allow running as a binder service.`
			`binder_call(authfs_service, servicemanager)`
Allow authfs_service to add itself to service manager Fixes: 196018177 Test: atest MicrodroidHostTestCases Change-Id: Ib47b8bf5d5d683e7f163e8f69d8a06ffe8f2675b 2021-08-10 19:49:01 +02:00			`add_service(authfs_service, authfs_binder_service)`
SELinux policy for authfs_service and authfs authfs_service is a binder service on microdroid. Upon a request by the client, the service will create the mount directory, execute authfs to mount the FUSE, and finally unmount and delete the mount directory. authfs currently requires more privileges than it should, but it's ok because the client owns the VM, and all input will be verified by signatures. But there is plan to keep the privileges isoated in the service (b/195554831). Bug: 194717985 Bug: 195554831 Test: Start the service from init, use a test executable to call the service API. Only observed denial from the test executable. Change-Id: Ie53aa9e2796433fc3182357039d0b7ba1c0848ef 2021-08-04 02:26:38 +02:00
			`# Allow domain transition into authfs.`
			`domain_auto_trans(authfs_service, authfs_exec, authfs)`

Grant authfs_service and authfs CAP_SYS_ADMIN CAP_SYS_ADMIN is required to mount a filesystem (currently in authfs, a child process of authfs_service). It seems the parent also needs to be allowed. Bug: 194474784 Test: Use the service (from compsvc), no longer seeing the denials Change-Id: I122734ee9f11899af4d7b647bc3049e4dbdad09e 2021-08-11 01:04:42 +02:00			`# Allow mounting the FUSE filesystem.`
			`allow authfs_service self:global_capability_class_set sys_admin;`

SELinux policy for authfs_service and authfs authfs_service is a binder service on microdroid. Upon a request by the client, the service will create the mount directory, execute authfs to mount the FUSE, and finally unmount and delete the mount directory. authfs currently requires more privileges than it should, but it's ok because the client owns the VM, and all input will be verified by signatures. But there is plan to keep the privileges isoated in the service (b/195554831). Bug: 194717985 Bug: 195554831 Test: Start the service from init, use a test executable to call the service API. Only observed denial from the test executable. Change-Id: Ie53aa9e2796433fc3182357039d0b7ba1c0848ef 2021-08-04 02:26:38 +02:00			`# Allow creating/deleting mount directories.`
			`allow authfs_service authfs_data_file:dir create_dir_perms;`

			`# Allow opening a file from the FUSE mount.`
			`# Note: authfs_service doesn't really need to read and write the file, but the`
authfs - remove getattr perm for fd pass We are no longer reading the ashmem size on every transaction. Fixes: 195752513 Test: atest ComposHostTestCases (no denial logs) Change-Id: If27c2b1d0efdccf30bc8c09e1004feb789e2425d 2021-10-12 21:40:44 +02:00			`# check seems to happen on open anyway.`
SELinux policy for authfs_service and authfs authfs_service is a binder service on microdroid. Upon a request by the client, the service will create the mount directory, execute authfs to mount the FUSE, and finally unmount and delete the mount directory. authfs currently requires more privileges than it should, but it's ok because the client owns the VM, and all input will be verified by signatures. But there is plan to keep the privileges isoated in the service (b/195554831). Bug: 194717985 Bug: 195554831 Test: Start the service from init, use a test executable to call the service API. Only observed denial from the test executable. Change-Id: Ie53aa9e2796433fc3182357039d0b7ba1c0848ef 2021-08-04 02:26:38 +02:00			`allow authfs_service authfs_fuse:dir search;`
authfs - remove getattr perm for fd pass We are no longer reading the ashmem size on every transaction. Fixes: 195752513 Test: atest ComposHostTestCases (no denial logs) Change-Id: If27c2b1d0efdccf30bc8c09e1004feb789e2425d 2021-10-12 21:40:44 +02:00			`allow authfs_service authfs_fuse:file { open read write };`
SELinux policy for authfs_service and authfs authfs_service is a binder service on microdroid. Upon a request by the client, the service will create the mount directory, execute authfs to mount the FUSE, and finally unmount and delete the mount directory. authfs currently requires more privileges than it should, but it's ok because the client owns the VM, and all input will be verified by signatures. But there is plan to keep the privileges isoated in the service (b/195554831). Bug: 194717985 Bug: 195554831 Test: Start the service from init, use a test executable to call the service API. Only observed denial from the test executable. Change-Id: Ie53aa9e2796433fc3182357039d0b7ba1c0848ef 2021-08-04 02:26:38 +02:00
			`# Allow killing the authfs process and unmount.`
			`allow authfs_service authfs:process sigkill;`
			`allow authfs_service authfs_fuse:filesystem unmount;`