platform_system_sepolicy/microdroid/system/private/zipfuse.te

# zipfuse is a FUSE daemon running in the microdroid. It mounts
# /dev/block/by-name/microdroid-apk whose content is from an apk file on
# /mnt/apk so that the entries in the apk file are seen as regular files. See
# packages/modules/Virtualization/zipfuse.

type zipfuse, domain, coredomain;
type zipfuse_exec, exec_type, file_type, system_file_type;

# zipfuse is using bootstrap bionic
allow zipfuse system_bootstrap_lib_file:dir r_dir_perms;
allow zipfuse system_bootstrap_lib_file:file { execute read open getattr map };

# allow basic rules to implement FUSE
allow zipfuse fuse_device:chr_file rw_file_perms;
allow zipfuse self:global_capability_class_set sys_admin;

# allow access to /dev/vd* block device files and also access to the symlinks
# /dev/block/by-name/*
allow zipfuse block_device:dir r_dir_perms;
allow zipfuse block_device:lnk_file r_file_perms;

# /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-*
allow zipfuse dm_device:blk_file r_file_perms;

# allow mounting on /mnt/apk
allow zipfuse tmpfs:dir mounton;

# allow mounting with fscontext=u:object_r:zipfusefs:s0
type zipfusefs, fs_type, contextmount_type;
allow zipfuse fuse:filesystem relabelfrom;
allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };

# allow mounting with context=u:object_r:system_file:s0 so that files provided
# by zipfuse are treated the same as the other files in /system or /apex
allow system_file zipfusefs:filesystem associate;

# allow zipfuse to log to the kernel
allow zipfuse kmsg_device:chr_file w_file_perms;

# allow zipfuse to handle extra apks
r_dir_file(zipfuse, extra_apk_file)
allow zipfuse extra_apk_file:dir mounton;

# zipfuse is forked from microdroid_manager
allow zipfuse microdroid_manager:fd use;

# Only microdroid_manager can run zipfuse
neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };

# only zipfuse can mount on extra_apk_file
neverallow { domain -zipfuse } extra_apk_file:dir mounton;