From a20802ddb87befbbd80d19e0a206aeb493528319 Mon Sep 17 00:00:00 2001
From: Daichi Hirono <hirono@google.com>
Date: Wed, 2 Dec 2015 13:43:46 +0900
Subject: [PATCH] Add new rules for appfuse.

The new rules are used to allow to mount FUSE file system for priv-app.

Change-Id: I5ce2d261be501e2b3fef09b7666f1e5d1cddbe52
---
 device.te        |  2 +-
 domain.te        | 19 +++++++++++++++++++
 priv_app.te      |  4 ++++
 system_server.te |  4 ++++
 vold.te          |  3 +++
 5 files changed, 31 insertions(+), 1 deletion(-)

diff --git a/device.te b/device.te
index 880212cd4..06006b26d 100644
--- a/device.te
+++ b/device.te
@@ -41,7 +41,7 @@ type urandom_device, dev_type, mlstrustedobject;
 type video_device, dev_type;
 type vcs_device, dev_type;
 type zero_device, dev_type, mlstrustedobject;
-type fuse_device, dev_type;
+type fuse_device, dev_type, mlstrustedobject;
 type iio_device, dev_type;
 type ion_device, dev_type, mlstrustedobject;
 type gps_device, dev_type;
diff --git a/domain.te b/domain.te
index 79fb9c6be..7b44fb5b1 100644
--- a/domain.te
+++ b/domain.te
@@ -517,3 +517,22 @@ neverallow domain domain:file { execute execute_no_trans entrypoint };
 # more specific label.
 # TODO: fix system_server and dumpstate
 neverallow { domain -init -system_server -dumpstate } debugfs:file no_rw_file_perms;
+
+neverallow {
+  domain
+  -init
+  -recovery
+  -sdcardd
+  -vold
+} fuse_device:chr_file open;
+neverallow {
+  domain
+  -dumpstate
+  -init
+  -priv_app
+  -recovery
+  -sdcardd
+  -system_server
+  -ueventd
+  -vold
+} fuse_device:chr_file *;
diff --git a/priv_app.te b/priv_app.te
index 2ff9a37f3..6617feb01 100644
--- a/priv_app.te
+++ b/priv_app.te
@@ -64,6 +64,10 @@ userdebug_or_eng(`
 # the system partition
 allow priv_app exec_type:file getattr;
 
+# For AppFuse.
+allow priv_app vold:fd use;
+allow priv_app fuse_device:chr_file { read write };
+
 ###
 ### neverallow rules
 ###
diff --git a/system_server.te b/system_server.te
index 2616c46ba..2a1d761c5 100644
--- a/system_server.te
+++ b/system_server.te
@@ -434,6 +434,10 @@ userdebug_or_eng(`
   allow system_server method_trace_data_file:file { create w_file_perms };
 ')
 
+# For AppFuse.
+allow system_server vold:fd use;
+allow system_server fuse_device:chr_file { read write ioctl };
+
 ###
 ### Neverallow rules
 ###
diff --git a/vold.te b/vold.te
index c8952af02..35e502f3d 100644
--- a/vold.te
+++ b/vold.te
@@ -164,6 +164,9 @@ allow vold self:capability sys_nice;
 allow vold self:capability sys_chroot;
 allow vold storage_file:dir mounton;
 
+# For AppFuse.
+allow vold fuse_device:chr_file rw_file_perms;
+
 neverallow { domain -vold } vold_data_file:dir ~{ open create read getattr setattr search relabelto ioctl };
 neverallow { domain -vold } vold_data_file:notdevfile_class_set ~{ relabelto getattr };
 neverallow { domain -vold -init } vold_data_file:dir *;
-- 
GitLab