tequilaOS/platform_system_sepolicy
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
platform_system_sepolicy/microdroid/system/private/zipfuse.te
Inseob Kim e987dcff74 Allow apkdmverity/zipfuse to write to kmsg_debug 
..which is inherited from microdroid_manager.

Bug: 258760809
Test: atest MicrodroidHostTestCases MicrodroidTestApp
Change-Id: I839a0e6b4702e811db58b0cc44dd3b599c10a0b8
2022-11-22 10:13:48 +09:00

56 lines
2.1 KiB
Text
Raw Blame History

# zipfuse is a FUSE daemon running in the microdroid. It mounts
# /dev/block/by-name/microdroid-apk whose content is from an apk file on
# /mnt/apk so that the entries in the apk file are seen as regular files. See
# packages/modules/Virtualization/zipfuse.
type zipfuse, domain, coredomain;
type zipfuse_exec, exec_type, file_type, system_file_type;
# zipfuse is using bootstrap bionic
use_bootstrap_libs(zipfuse)
# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
allow zipfuse self:global_capability_class_set sys_admin;
# allow access to /dev/vd* block device files and also access to the symlinks
# /dev/block/by-name/*
allow zipfuse block_device:dir r_dir_perms;
allow zipfuse block_device:lnk_file r_file_perms;
# /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-*
allow zipfuse dm_device:blk_file r_file_perms;
# allow mounting on /mnt/apk
allow zipfuse tmpfs:dir mounton;
# allow mounting with fscontext=u:object_r:zipfusefs:s0
type zipfusefs, fs_type, contextmount_type;
allow zipfuse fuse:filesystem relabelfrom;
allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };
# allow mounting with context=u:object_r:system_file:s0 so that files provided
# by zipfuse are treated the same as the other files in /system or /apex
allow system_file zipfusefs:filesystem associate;
# allow zipfuse to log to the kernel
allow zipfuse kmsg_device:chr_file w_file_perms;
# allow zipfuse to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager.
allow zipfuse kmsg_debug_device:chr_file w_file_perms;
# allow zipfuse to handle extra apks
r_dir_file(zipfuse, extra_apk_file)
allow zipfuse extra_apk_file:dir mounton;
# zipfuse is forked from microdroid_manager
allow zipfuse microdroid_manager:fd use;
# allow signalling when the mount is ready
set_prop(zipfuse, microdroid_manager_zipfuse_prop)
# Only microdroid_manager can run zipfuse
neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };
# only zipfuse can mount on extra_apk_file
neverallow { domain -zipfuse } extra_apk_file:dir mounton;
Reference in a new issue View git blame Copy permalink