5f7c02328c
CAP_SYS_ADMIN is required to mount a filesystem (currently in authfs, a child process of authfs_service). It seems the parent also needs to be allowed. Bug: 194474784 Test: Use the service (from compsvc), no longer seeing the denials Change-Id: I122734ee9f11899af4d7b647bc3049e4dbdad09e
21 lines
830 B
Text
21 lines
830 B
Text
# authfs is a FUSE-based filesystem to support "remote" file access normally
|
|
# over vsock, backed by a file server backend on Android.
|
|
|
|
type authfs, domain, coredomain;
|
|
type authfs_exec, exec_type, file_type, system_file_type;
|
|
|
|
allow authfs self:vsock_socket create_socket_perms_no_ioctl;
|
|
|
|
# Allow basic rules to implement FUSE.
|
|
# TODO(195554831): Move the privilege to authfs_service
|
|
allow authfs fuse_device:chr_file rw_file_perms;
|
|
allow authfs self:global_capability_class_set sys_admin;
|
|
|
|
# Allow mounting authfs.
|
|
# TODO(195554831): Move the privilege to authfs_service.
|
|
allow authfs fuse:filesystem relabelfrom;
|
|
allow authfs authfs_fuse:filesystem { mount relabelfrom relabelto };
|
|
allow authfs authfs_data_file:dir { mounton search };
|
|
|
|
# TODO(195568812): Don't pass FD 0,1,2 unnecessarily.
|
|
allow authfs authfs_service:fd use;
|