blob: 4423913d0663ab3a5102d3a9f0be72db8a6c5455 [file] [log] [blame]
# Compartmentalized domain specifically for mounting fuseblk filesystems.
# We need this to not grant fuseblkd_untrusted sys_admin permissions.
type fuseblkd_exec, system_file_type, exec_type, file_type;
type fuseblkd, domain;
typeattribute fuseblkd coredomain;
# Required for mount and unmounting. We can't minimize this permission,
# even though we only allow mount/unmount.
allow fuseblkd self:global_capability_class_set sys_admin;
# Permissions for the fuseblk filesystem.
allow fuseblkd fuse_device:chr_file rw_file_perms;
allow fuseblkd fuseblk:filesystem { mount unmount };
allow fuseblkd fuseblkd_untrusted:fd use;
# Look through block devices to find the correct one.
allow fuseblkd block_device:dir search;
# Permissions to mount on the media_rw directory for USB drives.
allow fuseblkd mnt_media_rw_file:dir search;
allow fuseblkd mnt_media_rw_stub_file:dir mounton;
###
### neverallow rules
###
# Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary.
neverallow { domain -fuseblkd_untrusted } fuseblkd:process transition;
neverallow * fuseblkd:process dyntransition;
neverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint;