SELinux changes for AppFuse
We are moving AppFuse mount from system_server's mount namespace to vold. Hence, we could reduce the SELinux permissions given to system_server, in the expense of adding allow rules to vold and letting appdomain have access to vold's fd. Bug: 110379912 Test: testOpenProxyFileDescriptor passes (after vold and system_server code changes) Change-Id: I4731a8ec846c5cb84ec4b680d51938494e8ddd75
This commit is contained in:
parent
3eae9de2e8
commit
67ed4328eb
@ -740,8 +740,7 @@ userdebug_or_eng(`
|
||||
# For AppFuse.
|
||||
allow system_server vold:fd use;
|
||||
allow system_server fuse_device:chr_file { read write ioctl getattr };
|
||||
allow system_server app_fuse_file:dir rw_dir_perms;
|
||||
allow system_server app_fuse_file:file { read write open getattr append };
|
||||
allow system_server app_fuse_file:file { read write getattr };
|
||||
|
||||
# For configuring sdcardfs
|
||||
allow system_server configfs:dir { create_dir_perms };
|
||||
|
@ -55,6 +55,9 @@ allow appdomain system_server:fifo_file rw_file_perms;
|
||||
allow appdomain system_server:unix_stream_socket { read write setopt getattr getopt shutdown };
|
||||
allow appdomain system_server:tcp_socket { read write getattr getopt shutdown };
|
||||
|
||||
# For AppFuse.
|
||||
allow appdomain vold:fd use;
|
||||
|
||||
# Communication with other apps via fifos
|
||||
allow appdomain appdomain:fifo_file rw_file_perms;
|
||||
|
||||
|
@ -223,6 +223,8 @@ allow vold fuse_device:chr_file rw_file_perms;
|
||||
allow vold fuse:filesystem { relabelfrom };
|
||||
allow vold app_fusefs:filesystem { relabelfrom relabelto };
|
||||
allow vold app_fusefs:filesystem { mount unmount };
|
||||
allow vold app_fuse_file:dir rw_dir_perms;
|
||||
allow vold app_fuse_file:file { read write open getattr append };
|
||||
|
||||
# MoveTask.cpp executes cp and rm
|
||||
allow vold toolbox_exec:file rx_file_perms;
|
||||
|
Loading…
Reference in New Issue
Block a user