Allow the MediaProvider app to set FUSE passthrough property am: c1e2918fd9 am: bafbd5eeb0 am: 3c7f9b1c7a

Original change: https://android-review.googlesource.com/c/platform/system/sepolicy/+/1693545

Change-Id: I4340d1aa457cf190eba110b74ef63f76abe6613d

private/app.te

@@ -4,6 +4,8 @@ get_prop(appdomain, test_harness_prop)
 
 get_prop(appdomain, boot_status_prop)
 get_prop(appdomain, dalvik_config_prop)
+# TODO(b/187912701) restrict the scope of fuse_passthrough_prop
+get_prop(appdomain, fuse_passthrough_prop)
 get_prop(appdomain, media_config_prop)
 get_prop(appdomain, packagemanager_config_prop)
 get_prop(appdomain, radio_control_prop)

private/compat/30.0/30.0.cil

@@ -2071,7 +2071,10 @@
 (typeattributeset system_ndebug_socket_30_0 (system_ndebug_socket))
 (typeattributeset system_net_netd_hwservice_30_0 (system_net_netd_hwservice))
 (typeattributeset system_passwd_file_30_0 (system_passwd_file))
-(typeattributeset system_prop_30_0 (system_prop))
+(typeattributeset system_prop_30_0 (
+  system_prop
+  fuse_passthrough_prop
+))
 (typeattributeset system_radio_prop_30_0 (system_radio_prop usb_prop))
 (typeattributeset system_seccomp_policy_file_30_0 (system_seccomp_policy_file))
 (typeattributeset system_security_cacerts_file_30_0 (system_security_cacerts_file))

private/mediaprovider_app.te

@@ -54,3 +54,8 @@ get_prop(mediaprovider_app, storage_config_prop)
 get_prop(mediaprovider_app, drm_service_config_prop)
 
 allow mediaprovider_app gpu_device:dir search;
+
+# Allow MediaProvider to set system properties.
+# This is required to let other services know that FUSE passthrough is enabled
+# on the device (b/186635810).
+set_prop(mediaprovider_app, fuse_passthrough_prop)

private/property_contexts

@@ -1186,3 +1186,6 @@ persist.rollback.is_test u:object_r:rollback_test_prop:s0 exact bool
 
 # bootanimation properties
 ro.bootanim.quiescent.enabled u:object_r:bootanim_config_prop:s0 exact bool
+
+# FUSE Passthrough properties
+fuse.passthrough.enabled u:object_r:fuse_passthrough_prop:s0 exact bool

private/shell.te

@@ -197,3 +197,6 @@ neverallow { domain -shell -init -dumpstate } perf_drop_caches_prop:file read;
 
 # Allow ReadDefaultFstab() for CTS.
 read_fstab(shell)
+
+# Allow shell to read FUSE passthrough properties
+get_prop(shell, fuse_passthrough_prop)

public/property.te

@@ -68,6 +68,7 @@ system_restricted_prop(build_bootimage_prop)
 system_restricted_prop(build_prop)
 system_restricted_prop(charger_status_prop)
 system_restricted_prop(fingerprint_prop)
+system_restricted_prop(fuse_passthrough_prop)
 system_restricted_prop(hal_instrumentation_prop)
 system_restricted_prop(init_service_status_prop)
 system_restricted_prop(libc_debug_prop)