Merge "SELinux changes for AppFuse"

f0dc0936 · Treehugger Robot · Gerrit Code Review · 6a9a852d · 0c1848b1 · f0dc0936
Commit f0dc0936 authored 6 years ago by Treehugger Robot Committed by Gerrit Code Review 6 years ago
--- a/private/system_server.te
+++ b/private/system_server.te
@@ -745,8 +745,7 @@ userdebug_or_eng(`
 # For AppFuse.
 allow system_server vold:fd use;
 allow system_server fuse_device:chr_file { read write ioctl getattr };
-allow system_server app_fuse_file:dir rw_dir_perms;
-allow system_server app_fuse_file:file { read write open getattr append };
+allow system_server app_fuse_file:file { read write getattr };

 # For configuring sdcardfs
 allow system_server configfs:dir { create_dir_perms };

--- a/public/app.te
+++ b/public/app.te
@@ -55,6 +55,9 @@ allow appdomain system_server:fifo_file rw_file_perms;
 allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
 allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };

+# For AppFuse.
+allow appdomain vold:fd use;
+
 # Communication with other apps via fifos
 allow appdomain appdomain:fifo_file rw_file_perms;


--- a/public/vold.te
+++ b/public/vold.te
@@ -229,6 +229,8 @@ allow vold fuse_device:chr_file rw_file_perms;
 allow vold fuse:filesystem { relabelfrom };
 allow vold app_fusefs:filesystem { relabelfrom relabelto };
 allow vold app_fusefs:filesystem { mount unmount };
+allow vold app_fuse_file:dir rw_dir_perms;
+allow vold app_fuse_file:file { read write open getattr append };

 # MoveTask.cpp executes cp and rm
 allow vold toolbox_exec:file rx_file_perms;