microdroid/system/private/zipfuse.te - LeafOS-Project/android_system_sepolicy - Gitiles

 # zipfuse is a FUSE daemon running in the microdroid. It mounts
 # /dev/block/by-name/microdroid-apk whose content is from an apk file on
 # /mnt/apk so that the entries in the apk file are seen as regular files. See
 # packages/modules/Virtualization/zipfuse.

 type zipfuse, domain, coredomain;
 type zipfuse_exec, exec_type, file_type, system_file_type;

 # zipfuse is using bootstrap bionic
 use_bootstrap_libs(zipfuse)

 # allow basic rules to implement FUSE
 allow zipfuse fuse_device:chr_file rw_file_perms;
 allow zipfuse self:global_capability_class_set sys_admin;

 # allow access to /dev/vd* block device files and also access to the symlinks
 # /dev/block/by-name/*
 allow zipfuse block_device:dir r_dir_perms;
 allow zipfuse block_device:lnk_file r_file_perms;

 # /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-*
 allow zipfuse dm_device:blk_file r_file_perms;

 # allow mounting on /mnt/apk
 allow zipfuse tmpfs:dir mounton;

 # allow mounting with fscontext=u:object_r:zipfusefs:s0
 type zipfusefs, fs_type, contextmount_type;
 allow zipfuse fuse:filesystem relabelfrom;
 allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };

 # allow mounting with context=u:object_r:system_file:s0 so that files provided
 # by zipfuse are treated the same as the other files in /system or /apex
 allow system_file zipfusefs:filesystem associate;

 # allow zipfuse to log to the kernel
 allow zipfuse kmsg_device:chr_file w_file_perms;

 # allow zipfuse to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager.
 allow zipfuse kmsg_debug_device:chr_file w_file_perms;

 # allow zipfuse to handle extra apks
 r_dir_file(zipfuse, extra_apk_file)
 allow zipfuse extra_apk_file:dir mounton;

 # zipfuse is forked from microdroid_manager
 allow zipfuse microdroid_manager:fd use;

 # allow signalling when the mount is ready
 set_prop(zipfuse, microdroid_manager_zipfuse_prop)

 # Only microdroid_manager can run zipfuse
 neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };

 # only zipfuse can mount on extra_apk_file
 neverallow { domain -zipfuse } extra_apk_file:dir mounton;
	# zipfuse is a FUSE daemon running in the microdroid. It mounts
	# /dev/block/by-name/microdroid-apk whose content is from an apk file on
	# /mnt/apk so that the entries in the apk file are seen as regular files. See
	# packages/modules/Virtualization/zipfuse.

	type zipfuse, domain, coredomain;
	type zipfuse_exec, exec_type, file_type, system_file_type;

	# zipfuse is using bootstrap bionic
	use_bootstrap_libs(zipfuse)

	# allow basic rules to implement FUSE
	allow zipfuse fuse_device:chr_file rw_file_perms;
	allow zipfuse self:global_capability_class_set sys_admin;

	# allow access to /dev/vd* block device files and also access to the symlinks
	# /dev/block/by-name/*
	allow zipfuse block_device:dir r_dir_perms;
	allow zipfuse block_device:lnk_file r_file_perms;

	# /dev/block/by-name/microdroid-apk is mapped to /dev/block/dm-*
	allow zipfuse dm_device:blk_file r_file_perms;

	# allow mounting on /mnt/apk
	allow zipfuse tmpfs:dir mounton;

	# allow mounting with fscontext=u:object_r:zipfusefs:s0
	type zipfusefs, fs_type, contextmount_type;
	allow zipfuse fuse:filesystem relabelfrom;
	allow zipfuse zipfusefs:filesystem { mount relabelfrom relabelto };

	# allow mounting with context=u:object_r:system_file:s0 so that files provided
	# by zipfuse are treated the same as the other files in /system or /apex
	allow system_file zipfusefs:filesystem associate;

	# allow zipfuse to log to the kernel
	allow zipfuse kmsg_device:chr_file w_file_perms;

	# allow zipfuse to write kmsg_debug (stdio_to_kmsg) inherited from microdroid_manager.
	allow zipfuse kmsg_debug_device:chr_file w_file_perms;

	# allow zipfuse to handle extra apks
	r_dir_file(zipfuse, extra_apk_file)
	allow zipfuse extra_apk_file:dir mounton;

	# zipfuse is forked from microdroid_manager
	allow zipfuse microdroid_manager:fd use;

	# allow signalling when the mount is ready
	set_prop(zipfuse, microdroid_manager_zipfuse_prop)

	# Only microdroid_manager can run zipfuse
	neverallow { domain -microdroid_manager } zipfuse:process { transition dyntransition };

	# only zipfuse can mount on extra_apk_file
	neverallow { domain -zipfuse } extra_apk_file:dir mounton;