49c0ec7a67
authfs_service is a binder service on microdroid. Upon a request by the client, the service will create the mount directory, execute authfs to mount the FUSE, and finally unmount and delete the mount directory. authfs currently requires more privileges than it should, but it's ok because the client owns the VM, and all input will be verified by signatures. But there is plan to keep the privileges isoated in the service (b/195554831). Bug: 194717985 Bug: 195554831 Test: Start the service from init, use a test executable to call the service API. Only observed denial from the test executable. Change-Id: Ie53aa9e2796433fc3182357039d0b7ba1c0848ef
14 lines
631 B
Text
14 lines
631 B
Text
allow fs_type self:filesystem associate;
|
|
allow cgroup tmpfs:filesystem associate;
|
|
allow cgroup_v2 tmpfs:filesystem associate;
|
|
allow cgroup_rc_file tmpfs:filesystem associate;
|
|
allow debugfs_type { debugfs debugfs_tracing debugfs_tracing_debug }:filesystem associate;
|
|
allow dev_type tmpfs:filesystem associate;
|
|
allow file_type labeledfs:filesystem associate;
|
|
allow file_type tmpfs:filesystem associate;
|
|
allow file_type rootfs:filesystem associate;
|
|
allow proc_net proc:filesystem associate;
|
|
allow sysfs_type sysfs:filesystem associate;
|
|
allow system_data_file tmpfs:filesystem associate;
|
|
|
|
type authfs_fuse, fs_type, contextmount_type;
|