tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Allow MediaProvider to host FUSE devices.

Browse source 
This change is part of enabling upcoming platform changes that are
described in the bug linked below.

Bug: 135341433
Test: m
Change-Id: I6ef499b0d5aa403f8eb6699649a201d8cc004bc5
This commit is contained in:
Zim 2019-08-07 19:00:15 +01:00
parent d1936ac945
commit b56cc6fb1f
2 changed files with 5 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
private/app_neverallows.te
View file

@ -137,8 +137,8 @@ neverallow { all_untrusted_apps -mediaprovider } {
')
}:dir_file_class_set { create unlink };
# No untrusted component should be touching /dev/fuse
neverallow all_untrusted_apps fuse_device:chr_file *;
# No untrusted component except mediaprovider should be touching /dev/fuse
neverallow { all_untrusted_apps -mediaprovider } fuse_device:chr_file *;
# Do not allow untrusted apps to directly open the tun_device
neverallow all_untrusted_apps tun_device:chr_file open;

3
private/mediaprovider.te
View file

@ -34,6 +34,9 @@ allow mediaprovider ringtone_file:file { getattr read write };
# MtpServer uses /dev/mtp_usb
allow mediaprovider mtp_device:chr_file rw_file_perms;
# Fuse daemon
allow mediaprovider fuse_device:chr_file { read write ioctl getattr };
# MtpServer uses /dev/usb-ffs/mtp
allow mediaprovider functionfs:dir search;
allow mediaprovider functionfs:file rw_file_perms;