Add sepolicy for FUSE control filesystem.

To allow vold to abort it.

Bug: 153411204
Test: vold can access it
Merged-In: I334eaf3459905c27d614db8eda18c27e62bea5fa
Change-Id: I334eaf3459905c27d614db8eda18c27e62bea5fa

prebuilts/api/30.0/private/compat/29.0/29.0.ignore.cil

@@ -45,6 +45,7 @@
     exported_camera_prop
     file_integrity_service
     fwk_automotive_display_hwservice
+    fusectlfs
     gmscore_app
     hal_can_bus_hwservice
     hal_can_controller_hwservice

prebuilts/api/30.0/private/genfs_contexts

@@ -98,6 +98,8 @@ genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
 genfscon proc /vmstat u:object_r:proc_vmstat:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 
+genfscon fusectl / u:object_r:fusectlfs:s0
+
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0

prebuilts/api/30.0/public/domain.te

@@ -1295,6 +1295,9 @@ neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no
 # Do not allow executable files in debugfs.
 neverallow domain debugfs_type:file { execute execute_no_trans };
 
+# Don't allow access to the FUSE control filesystem, except to vold and init's
+neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.
 neverallow {

prebuilts/api/30.0/public/file.te

@@ -75,6 +75,7 @@ type proc_vmallocinfo, fs_type, proc_type;
 type proc_vmstat, fs_type, proc_type;
 type proc_zoneinfo, fs_type, proc_type;
 type selinuxfs, fs_type, mlstrustedobject;
+type fusectlfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type cgroup_bpf, fs_type;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;

prebuilts/api/30.0/public/vold.te

@@ -202,6 +202,10 @@ allow vold asec_public_file:file { relabelto setattr };
 allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
 allow vold unlabeled:file { r_file_perms setattr relabelfrom };
 
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
 # Handle wake locks (used for device encryption)
 wakelock_use(vold)
 

private/compat/29.0/29.0.ignore.cil

@@ -46,6 +46,7 @@
     fastbootd_protocol_prop
     file_integrity_service
     fwk_automotive_display_hwservice
+    fusectlfs
     gmscore_app
     gnss_device
     hal_can_bus_hwservice

private/genfs_contexts

@@ -98,6 +98,8 @@ genfscon proc /vmallocinfo u:object_r:proc_vmallocinfo:s0
 genfscon proc /vmstat u:object_r:proc_vmstat:s0
 genfscon proc /zoneinfo u:object_r:proc_zoneinfo:s0
 
+genfscon fusectl / u:object_r:fusectlfs:s0
+
 # selinuxfs booleans can be individually labeled.
 genfscon selinuxfs / u:object_r:selinuxfs:s0
 genfscon cgroup / u:object_r:cgroup:s0

public/domain.te

@@ -1305,6 +1305,9 @@ neverallow { domain -init -vendor_init -dumpstate } debugfs:{ file lnk_file } no
 # Do not allow executable files in debugfs.
 neverallow domain debugfs_type:file { execute execute_no_trans };
 
+# Don't allow access to the FUSE control filesystem, except to vold and init's
+neverallow { domain -vold -init -vendor_init } fusectlfs:file no_rw_file_perms;
+
 # Profiles contain untrusted data and profman parses that. We should only run
 # in from installd forked processes.
 neverallow {

public/file.te

@@ -75,6 +75,7 @@ type proc_vmallocinfo, fs_type, proc_type;
 type proc_vmstat, fs_type, proc_type;
 type proc_zoneinfo, fs_type, proc_type;
 type selinuxfs, fs_type, mlstrustedobject;
+type fusectlfs, fs_type;
 type cgroup, fs_type, mlstrustedobject;
 type cgroup_bpf, fs_type;
 type sysfs, fs_type, sysfs_type, mlstrustedobject;

public/vold.te

@@ -202,6 +202,10 @@ allow vold asec_public_file:file { relabelto setattr };
 allow vold unlabeled:dir { r_dir_perms setattr relabelfrom };
 allow vold unlabeled:file { r_file_perms setattr relabelfrom };
 
+# Access to FUSE control filesystem to hard-abort FUSE mounts
+allow vold fusectlfs:file rw_file_perms;
+allow vold fusectlfs:dir rw_dir_perms;
+
 # Handle wake locks (used for device encryption)
 wakelock_use(vold)