From 67ed4328eb4835f4404151ee4bbb93d0f4500354 Mon Sep 17 00:00:00 2001
From: Risan <risan@google.com>
Date: Thu, 25 Oct 2018 16:18:44 -0600
Subject: [PATCH] SELinux changes for AppFuse

We are moving AppFuse mount from system_server's mount namespace to
vold. Hence, we could reduce the SELinux permissions given to
system_server, in the expense of adding allow rules to vold and
letting appdomain have access to vold's fd.

Bug: 110379912
Test: testOpenProxyFileDescriptor passes (after vold and
system_server code changes)

Change-Id: I4731a8ec846c5cb84ec4b680d51938494e8ddd75
---
 private/system_server.te | 3 +--
 public/app.te            | 3 +++
 public/vold.te           | 2 ++
 3 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/private/system_server.te b/private/system_server.te
index 42a89d421..8a0fb8eee 100644
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -740,8 +740,7 @@ userdebug_or_eng(`
 # For AppFuse.
 allow system_server vold:fd use;
 allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
+allow system_server app_fuse_file:file { read write getattr };
 
 # For configuring sdcardfs
 allow system_server configfs:dir { create_dir_perms };
diff --git a/public/app.te b/public/app.te
index 7f0d5548e..63fc38880 100644
--- a/public/app.te
+++ b/public/app.te
@@ -55,6 +55,9 @@ allow appdomain system_server:fifo_file rw_file_perms;
 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
 
+# For AppFuse.
+allow appdomain vold:fd use;
+
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;
 
diff --git a/public/vold.te b/public/vold.te
index 5e8c34bc7..350b6b783 100644
--- a/public/vold.te
+++ b/public/vold.te
@@ -223,6 +223,8 @@ allow vold fuse_device:chr_file rw_file_perms;
 allow vold fuse:filesystem { relabelfrom };
 allow vold app_fusefs:filesystem { relabelfrom relabelto };
 allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };
 
 # MoveTask.cpp executes cp and rm
 allow vold toolbox_exec:file rx_file_perms;
-- 
GitLab