From 0c1848b170f1cce87351dfdda6ca404d86a45b56 Mon Sep 17 00:00:00 2001
From: Risan <risan@google.com>
Date: Tue, 30 Oct 2018 17:29:22 +0000
Subject: [PATCH] SELinux changes for AppFuse

We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)

Change-Id: I827a108bd118090542354360a8c90b295e6a0fef
---
 private/system_server.te | 3 +--
 public/app.te            | 3 +++
 public/vold.te           | 2 ++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/private/system_server.te b/private/system_server.te
index 1edea50aa..7c9e2f2c6 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -745,8 +745,7 @@ userdebug_or_eng(`
 # For AppFuse.
 allow system_server vold:fd use;
 allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
+allow system_server app_fuse_file:file { read write getattr };
 
 # For configuring sdcardfs
 allow system_server configfs:dir { create_dir_perms };
diff --git a/public/app.te b/public/app.te
index 549930291..96b8c07f7 100644
--- a/public/app.te
+++ b/public/app.te
@@ -55,6 +55,9 @@ allow appdomain system_server:fifo_file rw_file_perms;
 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 
+# For AppFuse.
+allow appdomain vold:fd use;
+
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;
 
diff --git a/public/vold.te b/public/vold.te
index 9091b69ad..236604fa0 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -229,6 +229,8 @@ allow vold fuse_device:chr_file rw_file_perms;
 allow vold fuse:filesystem { relabelfrom };
 allow vold app_fusefs:filesystem { relabelfrom relabelto };
 allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
 
 # MoveTask.cpp executes cp and rm
 allow vold toolbox_exec:file rx_file_perms;
-- 
GitLab