1a0c3f88e0
This cl removes SELinux policies related to authfs_service / servicemanager communication as authfs_service now uses rpc binder instead of servicemanager. Bug: 257260848 Test: atest ComposHostTestCases Change-Id: I3e3de94a837c95e8f486438cc6a76fea39ffc6f3
29 lines
1.1 KiB
Text
29 lines
1.1 KiB
Text
# authfs_service is a binder service running on microdroid. It serves the
|
|
# client's request and manages the mount/unmount of individual authfs instances
|
|
# (a FUSE based filesystem). The service then can pass file descriptor on authfs
|
|
# to the client for remote file access.
|
|
|
|
type authfs_service, domain, coredomain;
|
|
type authfs_service_exec, exec_type, file_type, system_file_type;
|
|
|
|
# Allow domain transition from init.
|
|
init_daemon_domain(authfs_service)
|
|
|
|
# Allow domain transition into authfs.
|
|
domain_auto_trans(authfs_service, authfs_exec, authfs)
|
|
|
|
# Allow mounting the FUSE filesystem.
|
|
allow authfs_service self:global_capability_class_set sys_admin;
|
|
|
|
# Allow creating/deleting mount directories.
|
|
allow authfs_service authfs_data_file:dir create_dir_perms;
|
|
|
|
# Allow opening a file from the FUSE mount.
|
|
# Note: authfs_service doesn't really need to read and write the file, but the
|
|
# check seems to happen on open anyway.
|
|
allow authfs_service authfs_fuse:dir search;
|
|
allow authfs_service authfs_fuse:file { open read write };
|
|
|
|
# Allow killing the authfs process and unmount.
|
|
allow authfs_service authfs:process sigkill;
|
|
allow authfs_service authfs_fuse:filesystem unmount;
|