Let Zygote unmount inherited storage devices.

For example, when launching into an isolated process, we need to drop all mounts inherited from the root namespace. avc: denied { unmount } for scontext=u:r:zygote:s0 tcontext=u:object_r:fuse:s0 tclass=filesystem permissive=1 Bug: 22192518 Change-Id: Iafbea2c365c1080bdf20d7fa066c304901e582ba
2015-06-30 15:56:46 -07:00 · 2015-06-30 15:56:46 -07:00 · 24f3bcdb8f
commit 24f3bcdb8f
parent 6b75d099e1
1 changed files with 1 additions and 0 deletions
--- a/zygote.te
+++ b/zygote.te
@ -54,6 +54,7 @@ allow zygote sdcard_type:dir { write search setattr create add_name mounton }; #
 dontaudit zygote self:capability fsetid; # TODO: deprecated in M
 allow zygote tmpfs:dir { write create add_name setattr mounton search }; # TODO: deprecated in M
 allow zygote tmpfs:filesystem { mount unmount };
+allow zygote fuse:filesystem { unmount };
 allow zygote labeledfs:filesystem remount; # TODO: deprecated in M

 # Allowed to create user-specific storage source if started before vold