1*e4a36f41SAndroid Build Coastguard Worker# Compartmentalized domain specifically for mounting fuseblk filesystems. 2*e4a36f41SAndroid Build Coastguard Worker# We need this to not grant fuseblkd_untrusted sys_admin permissions. 3*e4a36f41SAndroid Build Coastguard Workertype fuseblkd_exec, system_file_type, exec_type, file_type; 4*e4a36f41SAndroid Build Coastguard Workertype fuseblkd, domain; 5*e4a36f41SAndroid Build Coastguard Worker 6*e4a36f41SAndroid Build Coastguard Workertypeattribute fuseblkd coredomain; 7*e4a36f41SAndroid Build Coastguard Worker 8*e4a36f41SAndroid Build Coastguard Worker# Required for mount and unmounting. We can't minimize this permission, 9*e4a36f41SAndroid Build Coastguard Worker# even though we only allow mount/unmount. 10*e4a36f41SAndroid Build Coastguard Workerallow fuseblkd self:global_capability_class_set sys_admin; 11*e4a36f41SAndroid Build Coastguard Worker 12*e4a36f41SAndroid Build Coastguard Worker# Permissions for the fuseblk filesystem. 13*e4a36f41SAndroid Build Coastguard Workerallow fuseblkd fuse_device:chr_file rw_file_perms; 14*e4a36f41SAndroid Build Coastguard Workerallow fuseblkd fuseblk:filesystem { mount unmount }; 15*e4a36f41SAndroid Build Coastguard Workerallow fuseblkd fuseblkd_untrusted:fd use; 16*e4a36f41SAndroid Build Coastguard Worker 17*e4a36f41SAndroid Build Coastguard Worker# Look through block devices to find the correct one. 18*e4a36f41SAndroid Build Coastguard Workerallow fuseblkd block_device:dir search; 19*e4a36f41SAndroid Build Coastguard Worker 20*e4a36f41SAndroid Build Coastguard Worker# Permissions to mount on the media_rw directory for USB drives. 21*e4a36f41SAndroid Build Coastguard Workerallow fuseblkd mnt_media_rw_file:dir search; 22*e4a36f41SAndroid Build Coastguard Workerallow fuseblkd mnt_media_rw_stub_file:dir mounton; 23*e4a36f41SAndroid Build Coastguard Worker 24*e4a36f41SAndroid Build Coastguard Worker### 25*e4a36f41SAndroid Build Coastguard Worker### neverallow rules 26*e4a36f41SAndroid Build Coastguard Worker### 27*e4a36f41SAndroid Build Coastguard Worker 28*e4a36f41SAndroid Build Coastguard Worker# Only allow entry from fuseblkd_untrusted, and only through fuseblkd_exec binary. 29*e4a36f41SAndroid Build Coastguard Workerneverallow { domain -fuseblkd_untrusted } fuseblkd:process transition; 30*e4a36f41SAndroid Build Coastguard Workerneverallow * fuseblkd:process dyntransition; 31*e4a36f41SAndroid Build Coastguard Workerneverallow fuseblkd { file_type fs_type -fuseblkd_exec }:file entrypoint; 32