Merge "Add fusefs_type for FUSE filesystems"

private/adbd.te

@@ -77,8 +77,8 @@ allow adbd profman_dump_data_file:file r_file_perms;
 allow adbd tmpfs:dir search;
 allow adbd rootfs:lnk_file r_file_perms;  # /sdcard symlink
 allow adbd tmpfs:lnk_file r_file_perms;   # /mnt/sdcard symlink
-allow adbd sdcard_type:dir create_dir_perms;
-allow adbd sdcard_type:file create_file_perms;
+allow adbd { sdcard_type fuse }:dir create_dir_perms;
+allow adbd { sdcard_type fuse }:file create_file_perms;
 
 # adb pull /data/anr/traces.txt
 allow adbd anr_data_file:dir r_dir_perms;

private/app_neverallows.te

@@ -131,6 +131,7 @@ neverallow { all_untrusted_apps -mediaprovider } { cache_file cache_recovery_fil
 neverallow { all_untrusted_apps -mediaprovider } {
   fs_type
   -sdcard_type
+  -fuse
   file_type
   -app_data_file            # The apps sandbox itself
   -privapp_data_file

private/audioserver.te

@@ -7,6 +7,7 @@ init_daemon_domain(audioserver)
 tmpfs_domain(audioserver)
 
 r_dir_file(audioserver, sdcard_type)
+r_dir_file(audioserver, fuse)
 
 binder_use(audioserver)
 binder_call(audioserver, binderservicedomain)

private/domain.te

@@ -354,8 +354,8 @@ neverallow ~{
 } self:global_capability_class_set dac_read_search;
 
 # Limit what domains can mount filesystems or change their mount flags.
-# sdcard_type / vfat is exempt as a larger set of domains need
-# this capability, including device-specific domains.
+# sdcard_type (including vfat and exfat) and fusefs_type are exempt as a larger
+# set of domains need this capability, including device-specific domains.
 neverallow {
     domain
     -apexd
@@ -369,6 +369,7 @@ neverallow {
     -zygote
 } { fs_type
     -sdcard_type
+    -fusefs_type
 }:filesystem { mount remount relabelfrom relabelto };
 
 enforce_debugfs_restriction(`

private/ephemeral_app.te

@@ -17,7 +17,7 @@ net_domain(ephemeral_app)
 app_domain(ephemeral_app)
 
 # Allow ephemeral apps to read/write files in visible storage if provided fds
-allow ephemeral_app { sdcard_type media_rw_data_file }:file {read write getattr ioctl lock append};
+allow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {read write getattr ioctl lock append};
 
 # Some apps ship with shared libraries and binaries that they write out
 # to their sandbox directory and then execute.
@@ -87,8 +87,8 @@ neverallow ephemeral_app sysfs:file *;
 neverallow ephemeral_app proc:file { no_rw_file_perms no_x_file_perms };
 
 # Directly access external storage
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:file {open create};
-neverallow ephemeral_app { sdcard_type media_rw_data_file }:dir search;
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:file {open create};
+neverallow ephemeral_app { sdcard_type fuse media_rw_data_file }:dir search;
 
 # Avoid reads to proc_net, it contains too much device wide information about
 # ongoing connections.

private/gsid.te

@@ -84,7 +84,7 @@ userdebug_or_eng(`
   # gsi_tool passes a FIFO to gsid if invoked with pipe redirection.
   allow gsid { shell su }:fifo_file r_file_perms;
   # Allow installing images from /storage/emulated/...
-  allow gsid sdcard_type:file r_file_perms;
+  allow gsid { sdcard_type fuse }:file r_file_perms;
 ')
 
 neverallow {

private/isolated_app.te

@@ -33,7 +33,7 @@ allow isolated_app self:process ptrace;
 # neverallow rules below.
 # media_rw_data_file is included for sdcardfs, and can be removed if sdcardfs
 # is modified to change the secontext when accessing the lower filesystem.
-allow isolated_app { sdcard_type media_rw_data_file }:file { read write append getattr lock map };
+allow isolated_app { sdcard_type fuse media_rw_data_file }:file { read write append getattr lock map };
 
 # For webviews, isolated_app processes can be forked from the webview_zygote
 # in addition to the zygote. Allow access to resources inherited from the
@@ -110,10 +110,10 @@ neverallow isolated_app cache_file:file ~{ read getattr };
 
 # Do not allow isolated_app to access external storage, except for files passed
 # via file descriptors (b/32896414).
-neverallow isolated_app { storage_file mnt_user_file sdcard_type }:dir ~getattr;
+neverallow isolated_app { storage_file mnt_user_file sdcard_type fuse }:dir ~getattr;
 neverallow isolated_app { storage_file mnt_user_file }:file_class_set *;
-neverallow isolated_app sdcard_type:{ devfile_class_set lnk_file sock_file fifo_file } *;
-neverallow isolated_app sdcard_type:file ~{ read write append getattr lock map };
+neverallow isolated_app { sdcard_type fuse }:{ devfile_class_set lnk_file sock_file fifo_file } *;
+neverallow isolated_app { sdcard_type fuse }:file ~{ read write append getattr lock map };
 
 # Do not allow USB access
 neverallow isolated_app { usb_device usbaccessory_device }:chr_file *;

private/surfaceflinger.te

@@ -142,7 +142,7 @@ dontaudit surfaceflinger vendor_default_prop:file read;
 
 # Do not allow accessing SDcard files as unsafe ejection could
 # cause the kernel to kill the process.
-neverallow surfaceflinger sdcard_type:file rw_file_perms;
+neverallow surfaceflinger { sdcard_type fuse }:file rw_file_perms;
 
 # b/68864350
 dontaudit surfaceflinger unlabeled:dir search;

private/system_server.te

@@ -965,7 +965,7 @@ allow system_server { mnt_user_file storage_file }:lnk_file { getattr read };
 
 # Allow statfs() on storage devices, which happens fast enough that
 # we shouldn't be killed during unsafe removal
-allow system_server sdcard_type:dir { getattr search };
+allow system_server { sdcard_type fuse }:dir { getattr search };
 
 # Traverse into expanded storage
 allow system_server mnt_expand_file:dir r_dir_perms;
@@ -1159,8 +1159,8 @@ userdebug_or_eng(`r_dir_file(system_server, profcollectd_data_file)')
 
 # Do not allow opening files from external storage as unsafe ejection
 # could cause the kernel to kill the system_server.
-neverallow system_server sdcard_type:dir { open read write };
-neverallow system_server sdcard_type:file rw_file_perms;
+neverallow system_server { sdcard_type fuse }:dir { open read write };
+neverallow system_server { sdcard_type fuse }:file rw_file_perms;
 
 # system server should never be operating on zygote spawned app data
 # files directly. Rather, they should always be passed via a

private/zygote.te

@@ -152,8 +152,8 @@ allow zygote mnt_pass_through_file:dir { create_dir_perms mounton };
 allow zygote storage_file:dir { search mounton };
 
 # Allow mounting and creating files, dirs on sdcardfs.
-allow zygote { sdcard_type }:dir { create_dir_perms mounton };
-allow zygote { sdcard_type }:file { create_file_perms };
+allow zygote { sdcard_type fuse }:dir { create_dir_perms mounton };
+allow zygote { sdcard_type fuse }:file { create_file_perms };
 
 # Handle --invoke-with command when launching Zygote with a wrapper command.
 allow zygote zygote_exec:file rx_file_perms;

public/app.te

@@ -261,8 +261,8 @@ allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:dir r_dir_perms;
 allow { appdomain -isolated_app -ephemeral_app } mnt_user_file:lnk_file r_file_perms;
 
 # Read/write visible storage
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:dir create_dir_perms;
-allow { appdomain -isolated_app -ephemeral_app } sdcard_type:file create_file_perms;
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:dir create_dir_perms;
+allow { appdomain -isolated_app -ephemeral_app } { sdcard_type fuse }:file create_file_perms;
 # This should be removed if sdcardfs is modified to alter the secontext for its
 # accesses to the underlying FS.
 allow { appdomain -isolated_app -ephemeral_app } media_rw_data_file:dir create_dir_perms;

public/attributes

@@ -18,6 +18,12 @@ attribute fs_type;
 # All types used for context= mounts.
 attribute contextmount_type;
 
+# All types referencing a FUSE filesystem.
+# When mounting a new FUSE filesystem, the fscontext= option should be used to
+# set a domain-specific type with this attribute. See app_fusefs for an
+# example.
+attribute fusefs_type;
+
 # All types used for files that can exist on a labeled fs.
 # Do not use for pseudo file types.
 # On change, update CHECK_FC_ASSERT_ATTRS

public/drmserver.te

@@ -18,11 +18,11 @@ allow drmserver system_server:fd use;
 # Perform Binder IPC to mediaserver
 binder_call(drmserver, mediaserver)
 
-allow drmserver sdcard_type:dir search;
+allow drmserver { sdcard_type fuse }:dir search;
 allow drmserver drm_data_file:dir create_dir_perms;
 allow drmserver drm_data_file:file create_file_perms;
 allow drmserver { app_data_file privapp_data_file }:file { read write getattr map };
-allow drmserver sdcard_type:file { read write getattr map };
+allow drmserver { sdcard_type fuse }:file { read write getattr map };
 r_dir_file(drmserver, efs_file)
 
 type drmserver_socket, file_type;

public/file.te

@@ -138,7 +138,7 @@ type devpts, fs_type, mlstrustedobject;
 type tmpfs, fs_type;
 type shm, fs_type;
 type mqueue, fs_type;
-type fuse, sdcard_type, fs_type, mlstrustedobject;
+type fuse, fusefs_type, fs_type, mlstrustedobject;
 type sdcardfs, sdcard_type, fs_type, mlstrustedobject;
 type vfat, sdcard_type, fs_type, mlstrustedobject;
 type exfat, sdcard_type, fs_type, mlstrustedobject;
@@ -160,7 +160,7 @@ type functionfs, fs_type, mlstrustedobject;
 type oemfs, fs_type, contextmount_type;
 type usbfs, fs_type;
 type binfmt_miscfs, fs_type;
-type app_fusefs, fs_type, contextmount_type;
+type app_fusefs, fs_type, fusefs_type, contextmount_type;
 
 # File types
 type unlabeled, file_type;

public/hal_wifi_hostapd.te

@@ -23,5 +23,5 @@ allow hal_wifi_hostapd_server self:netlink_route_socket nlmsg_write;
 ###
 
 # hal_wifi_hostapd should not trust any data from sdcards
-neverallow hal_wifi_hostapd_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_hostapd_server sdcard_type:file *;
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_hostapd_server { sdcard_type fuse }:file *;

public/hal_wifi_supplicant.te

@@ -34,5 +34,5 @@ allow hal_wifi_supplicant wifi_key:keystore2_key {
 ###
 
 # wpa_supplicant should not trust any data from sdcards
-neverallow hal_wifi_supplicant_server sdcard_type:dir ~getattr;
-neverallow hal_wifi_supplicant_server sdcard_type:file *;
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:dir ~getattr;
+neverallow hal_wifi_supplicant_server { sdcard_type fuse }:file *;

public/init.te

@@ -313,11 +313,12 @@ allow init {
   -keychord_device
   -proc_type
   -sdcard_type
+  -fusefs_type
   -sysfs_type
   -rootfs
   enforce_debugfs_restriction(`-debugfs_type')
 }:file { open read setattr };
-allow init { fs_type -contextmount_type -sdcard_type -rootfs }:dir  { open read setattr search };
+allow init { fs_type -contextmount_type -sdcard_type -fusefs_type -rootfs }:dir  { open read setattr search };
 
 allow init {
   binder_device

public/installd.te

@@ -71,8 +71,8 @@ allow installd media_rw_data_file:dir relabelto;
 # Delete /data/media files through sdcardfs, instead of going behind its back
 allow installd tmpfs:dir r_dir_perms;
 allow installd storage_file:dir search;
-allow installd sdcard_type:dir { search open read write remove_name getattr rmdir };
-allow installd sdcard_type:file { getattr unlink };
+allow installd { sdcard_type fuse }:dir { search open read write remove_name getattr rmdir };
+allow installd { sdcard_type fuse }:file { getattr unlink };
 
 # Create app's mirror data directory in /data_mirror, and bind mount the real directory to it
 allow installd mirror_data_file:dir { create_dir_perms mounton };

public/kernel.te

@@ -56,7 +56,7 @@ allow kernel selinuxfs:file write;
 allow kernel self:security setcheckreqprot;
 
 # kernel thread "loop0", used by the loop block device, for ASECs (b/17158723)
-allow kernel sdcard_type:file { read write };
+allow kernel { sdcard_type fuse }:file { read write };
 
 # f_mtp driver accesses files from kernel context.
 allow kernel mediaprovider:fd use;

public/mediaextractor.te

@@ -26,7 +26,7 @@ allow mediaextractor proc_meminfo:file r_file_perms;
 crash_dump_fallback(mediaextractor)
 
 # allow mediaextractor read permissions for file sources
-allow mediaextractor sdcard_type:file { getattr read };
+allow mediaextractor { sdcard_type fuse }:file { getattr read };
 allow mediaextractor media_rw_data_file:file { getattr read };
 allow mediaextractor { app_data_file privapp_data_file }:file { getattr read };
 

public/mediaserver.te

@@ -8,6 +8,7 @@ typeattribute mediaserver mlstrustedsubject;
 net_domain(mediaserver)
 
 r_dir_file(mediaserver, sdcard_type)
+r_dir_file(mediaserver, fuse)
 r_dir_file(mediaserver, cgroup)
 r_dir_file(mediaserver, cgroup_v2)
 
@@ -30,7 +31,7 @@ binder_service(mediaserver)
 allow mediaserver media_data_file:dir create_dir_perms;
 allow mediaserver media_data_file:file create_file_perms;
 allow mediaserver { app_data_file privapp_data_file }:file { append getattr ioctl lock map read write };
-allow mediaserver sdcard_type:file write;
+allow mediaserver { sdcard_type fuse }:file write;
 allow mediaserver gpu_device:chr_file rw_file_perms;
 allow mediaserver video_device:dir r_dir_perms;
 allow mediaserver video_device:chr_file rw_file_perms;

public/sdcardd.te

@@ -10,11 +10,11 @@ allow sdcardd tmpfs:dir r_dir_perms;
 allow sdcardd mnt_media_rw_file:dir r_dir_perms;
 allow sdcardd storage_file:dir search;
 allow sdcardd storage_stub_file:dir { search mounton };
-allow sdcardd sdcard_type:filesystem { mount unmount };
+allow sdcardd { sdcard_type fuse }:filesystem { mount unmount };
 allow sdcardd self:global_capability_class_set { setuid setgid dac_override dac_read_search sys_admin sys_resource };
 
-allow sdcardd sdcard_type:dir create_dir_perms;
-allow sdcardd sdcard_type:file create_file_perms;
+allow sdcardd { sdcard_type fuse }:dir create_dir_perms;
+allow sdcardd { sdcard_type fuse }:file create_file_perms;
 
 allow sdcardd media_rw_data_file:dir create_dir_perms;
 allow sdcardd media_rw_data_file:file create_file_perms;

public/vendor_init.te

@@ -140,6 +140,7 @@ allow vendor_init {
   -contextmount_type
   -keychord_device
   -sdcard_type
+  -fusefs_type
   -rootfs
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time
@@ -153,6 +154,7 @@ allow vendor_init {
   fs_type
   -contextmount_type
   -sdcard_type
+  -fusefs_type
   -rootfs
   -proc_uid_time_in_state
   -proc_uid_concurrent_active_time

public/vold.te

@@ -86,14 +86,12 @@ allow vold block_device:dir create_dir_perms;
 allow vold device:dir write;
 allow vold devpts:chr_file rw_file_perms;
 allow vold rootfs:dir mounton;
-allow vold sdcard_type:dir mounton; # TODO: deprecated in M
-allow vold sdcard_type:filesystem { mount remount unmount }; # TODO: deprecated in M
-allow vold sdcard_type:dir create_dir_perms; # TODO: deprecated in M
-allow vold sdcard_type:file create_file_perms; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:dir mounton; # TODO: deprecated in M
+allow vold { sdcard_type fuse }:filesystem { mount remount unmount }; # TODO: deprecated in M
 
 # Manage locations where storage is mounted
-allow vold { mnt_media_rw_file storage_file sdcard_type }:dir create_dir_perms;
-allow vold { mnt_media_rw_file storage_file sdcard_type }:file create_file_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:dir create_dir_perms;
+allow vold { mnt_media_rw_file storage_file sdcard_type fuse }:file create_file_perms;
 
 # Access to storage that backs emulated FUSE daemons for migration optimization
 allow vold media_rw_data_file:dir create_dir_perms;