platform_system_sepolicy/microdroid/system/private/zipfuse.te
Alan Stokes fb9911a9bb Fix zipfuse race condition
Allow zipfuse to signal to microdroid_manager via property when it is
ready.

Bug: 243513572
Test: atest MicrodroidTests (locally & via acloud)
Change-Id: Ifcf3d0924faa61ce87124a5ac55bd6a2b193cd99
2022-10-07 16:37:37 +01:00

53 lines
1.9 KiB
Text

# zipfuse is a FUSE daemon running in the microdroid. It mounts
# /dev/block/by-name/microdroid-apk whose content is from an apk file on
# /mnt/apk so that the entries in the apk file are seen as regular files. See
# packages/modules/Virtualization/zipfuse.
type zipfuse, domain, coredomain;
type zipfuse_exec, exec_type, file_type, system_file_type;
# zipfuse is using bootstrap bionic
use_bootstrap_libs(zipfuse)
# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
allow zipfuse self:global_capability_class_set sys_admin;
# allow access to /dev/vd* block device files and also access to the symlinks
# /dev/block/by-name/*
allow zipfuse block_device:dir r_dir_perms;
allow zipfuse block_device:lnk_file r_file_perms;
# /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-*
allow zipfuse dm_device:blk_file r_file_perms;
# allow mounting on /mnt/apk
allow zipfuse tmpfs:dir mounton;
# allow mounting with fscontext=u:object_r:zipfusefs:s0
type zipfusefs, fs_type, contextmount_type;
allow zipfuse fuse:filesystem relabelfrom;
allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
# allow mounting with context=u:object_r:system_file:s0 so that files provided
# by zipfuse are treated the same as the other files in /system or /apex
allow system_file zipfusefs:filesystem associate;
# allow zipfuse to log to the kernel
allow zipfuse kmsg_device:chr_file w_file_perms;
# allow zipfuse to handle extra apks
r_dir_file(zipfuse, extra_apk_file)
allow zipfuse extra_apk_file:dir mounton;
# zipfuse is forked from microdroid_manager
allow zipfuse microdroid_manager:fd use;
# allow signalling when the mount is ready
set_prop(zipfuse, microdroid_manager_zipfuse_prop)
# Only microdroid_manager can run zipfuse
neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };
# only zipfuse can mount on extra_apk_file
neverallow { domain -zipfuse } extra_apk_file:dir mounton;